From d36589e05b2fd53855d9d1420f599edc4095a98e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@mrzyx.de>
Date: Sat, 24 May 2014 15:27:13 +0200
Subject: [PATCH] Remove hack from exporter

I couldn't reproduce what the comment states anymore, so I just removed
it. This fixes a minor issue where html wouldn't be escaped in the
export.

Thanks to A Kai (@sixhundredns) for reporting.
---
 lib/diaspora/exporter.rb           |  5 +----
 spec/lib/diaspora/exporter_spec.rb | 31 ++++++++++++++++++++++++------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/lib/diaspora/exporter.rb b/lib/diaspora/exporter.rb
index 46d3fa3f8..80f0814f1 100644
--- a/lib/diaspora/exporter.rb
+++ b/lib/diaspora/exporter.rb
@@ -83,10 +83,7 @@ module Diaspora
           }
         end
 
-        # This is a hack.  Nokogiri interprets *.to_xml as a string.
-        # we want to inject document objects, instead.  See lines: 25,35,40.
-        # Solutions?
-        CGI.unescapeHTML(builder.to_xml.to_s)
+        builder.to_xml.to_s
       end
     end
   end
diff --git a/spec/lib/diaspora/exporter_spec.rb b/spec/lib/diaspora/exporter_spec.rb
index f953d80c9..ed74a43d3 100644
--- a/spec/lib/diaspora/exporter_spec.rb
+++ b/spec/lib/diaspora/exporter_spec.rb
@@ -12,33 +12,50 @@ describe Diaspora::Exporter do
     @user2 =  FactoryGirl.create(:user)
     @user3 =  bob
 
+    @user1.person.profile.first_name = "<script>"
+    @user1.person.profile.gender = "<script>"
+    @user1.person.profile.bio = "<script>"
+    @user1.person.profile.location = "<script>"
+    @user1.person.profile.save
+
     @aspect  =  @user1.aspects.first
     @aspect1 =  @user1.aspects.create(:name => "Work")
     @aspect2 =  @user2.aspects.create(:name => "Family")
     @aspect3 =  @user3.aspects.first
+    @aspect.name = "<script>"
+    @aspect.save
 
     @status_message1 =  @user1.post(:status_message, :text => "One", :public => true, :to => @aspect1.id)
     @status_message2 =  @user1.post(:status_message, :text => "Two", :public => true, :to => @aspect1.id)
     @status_message3 =  @user2.post(:status_message, :text => "Three", :public => false, :to => @aspect2.id)
+    @status_message4 =  @user1.post(:status_message, :text => "<script>", :public => true, :to => @aspect2.id)
   end
 
   def exported
     Nokogiri::XML(Diaspora::Exporter.new(Diaspora::Exporters::XML).execute(@user1))
   end
 
+  it 'escapes xml relevant characters' do
+    expect(exported.to_s).to_not include "<script>"
+  end
+
   context '<user/>' do
-    before do
-      @user_xml = exported.xpath('//user').to_s
-    end
+    let(:user_xml) { exported.xpath('//user').to_s }
+
     it 'includes a users private key' do
-      @user_xml.to_s.should include @user1.serialized_private_key
+      expect(user_xml).to include @user1.serialized_private_key
+    end
+
+    it 'includes the profile as xml' do
+      puts exported.to_s
+      expect(user_xml).to include "<profile>"
     end
   end
 
   context '<aspects/>' do
+    let(:aspects_xml) { exported.xpath('//aspects').to_s }
 
     it 'includes the post_ids' do
-      aspects_xml = exported.xpath('//aspects').to_s
       aspects_xml.should include @status_message1.id.to_s
       aspects_xml.should include @status_message2.id.to_s
     end
@@ -47,6 +64,8 @@ describe Diaspora::Exporter do
   context '<contacts/>' do
 
     before do
+      @aspect.name = "Safe"
+      @aspect.save
       @user1.add_contact_to_aspect(@user1.contact_for(@user3.person), @aspect1)
       @user1.reload
     end
@@ -101,7 +120,7 @@ describe Diaspora::Exporter do
       created_at_text = doc.xpath('//posts/status_message').detect do |status|
         status.to_s.include?(@status_message1.guid)
       end.xpath('created_at').text
-      
+
       Time.zone.parse(created_at_text).to_i.should == @status_message1.created_at.to_i
     end
   end