Sanitize the blog contents

app/views/general/blog.html.erb

@@ -10,9 +10,9 @@
           <p class="subtitle"><%= _("Posted on {{date}} by {{author}}", :date=>simple_date(Time.parse(item['pubDate'][0])), :author=> item['creator'] ? item['creator'][0] : item['author'][0]) %></p>
           <div>
             <% if item['encoded'] %>
-              <%= raw item['encoded'][0] %>
+              <%= sanitize(raw item['encoded'][0]) %>
             <% elsif item['description'] %>
-              <%= raw item['description'][0] %>
+              <%= sanitize(raw item['description'][0]) %>
             <% end %>
           </div>
           <p><em>

spec/controllers/general_controller_spec.rb

@@ -53,6 +53,18 @@
         end
     end
 
+    context 'when the blog has entries' do
+
+        render_views
+
+        it 'should escape any javascript from the entries' do
+            controller.stub!(:quietly_try_to_open).and_return(load_file_fixture("blog_feed.atom"))
+            get :blog
+            response.body.should_not include('<script>alert("exciting!")</script>')
+        end
+
+    end
+
 end
 
 describe GeneralController, "when showing the frontpage" do

spec/fixtures/files/blog_feed.atom

@@ -29,7 +29,7 @@
         <guid isPermaLink="false">http://www.example.com/?id=333</guid>
         <description><![CDATA[An example post [...]]]></description>
             <content:encoded><![CDATA[<h3>A blog post</h3>
-<p>Example post</p>
+<p>Example post</p><script>alert("exciting!")</script>
 ]]></content:encoded>
             <wfw:commentRss>http://www.example.com/feed/</wfw:commentRss>
         <slash:comments>2</slash:comments>