From 81442f0f2a69823386afa9374daed63c1edb3ef0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@mrzyx.de>
Date: Thu, 6 Sep 2012 21:12:49 +0200
Subject: [PATCH] Erb::Util.h now escapes ' which it didn't before

this is what 3.2.8 actually fixes to prevent XSS iirc
We're including the raw message in the atom feed so
we should test for it
---
 app/models/status_message.rb              | 2 +-
 spec/controllers/users_controller_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/status_message.rb b/app/models/status_message.rb
index aad453ac1..da708531d 100644
--- a/app/models/status_message.rb
+++ b/app/models/status_message.rb
@@ -70,7 +70,7 @@ class StatusMessage < Post
   def formatted_message(opts={})
     return self.raw_message unless self.raw_message
 
-    escaped_message = opts[:plain_text] ? self.raw_message: ERB::Util.h(self.raw_message)
+    escaped_message = opts[:plain_text] ? self.raw_message : ERB::Util.h(self.raw_message)
     mentioned_message = self.format_mentions(escaped_message, opts)
     Diaspora::Taggable.format_tags(mentioned_message, opts.merge(:no_escape => true))
   end
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 9a2d27255..8da6c6de2 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -43,7 +43,7 @@ describe UsersController do
     it 'renders xml if atom is requested' do
       sm = Factory(:status_message, :public => true, :author => @user.person)
       get :public, :username => @user.username, :format => :atom
-      response.body.should include(sm.text)
+      response.body.should include(sm.raw_message)
     end
 
     it 'renders xml if atom is requested with clickalbe urls' do