From 30aae8e7938db2c45e25ae12092432821dbab260 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Wed, 6 Mar 2013 11:36:42 -0500
Subject: [PATCH] Topic was not sanitizing <b> and <img> tags from titles

---
 app/models/topic.rb       |  2 +-
 spec/models/topic_spec.rb | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/app/models/topic.rb b/app/models/topic.rb
index 331496cc7..9c9f85cc6 100644
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@@ -71,7 +71,7 @@ class Topic < ActiveRecord::Base
 
   before_validation do
     if title.present?
-      self.title = sanitize(title)
+      self.title = sanitize(title, tags: [], attributes: [])
       self.title.strip!
     end
   end
diff --git a/spec/models/topic_spec.rb b/spec/models/topic_spec.rb
index 38782aca0..1991ff712 100644
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@@ -110,10 +110,20 @@ describe Topic do
   end
 
   context 'html in title' do
-    let(:topic) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
+    let(:topic_bold) { Fabricate(:topic, title: "topic with <b>bold</b> text in its title" ) }
+    let(:topic_image) { Fabricate(:topic, title: "topic with <img src='something'> image in its title" ) }
+    let(:topic_script) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
 
-    it "should escape the HTML" do
-      topic.title.should == "is my topic title"
+    it "escapes script contents" do
+      topic_script.title.should == "is my topic title"
+    end
+
+    it "escapes bold contents" do
+      topic_bold.title.should == "topic with bold text in its title"
+    end
+
+    it "escapes bold contents" do
+      topic_image.title.should == "topic with image in its title"
     end
 
   end