From 83860784c1d184dd6afa680aeff2e06d65f50b8d Mon Sep 17 00:00:00 2001
From: Patrick J Cherry <patrick@bytemark.co.uk>
Date: Fri, 20 Apr 2012 14:25:47 +0100
Subject: Further tinkering involving when to Sanitize html -- now only done if
 the attribute has been changed.

---
 lib/mauve/alert.rb | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

(limited to 'lib')

diff --git a/lib/mauve/alert.rb b/lib/mauve/alert.rb
index 28079a2..f249913 100644
--- a/lib/mauve/alert.rb
+++ b/lib/mauve/alert.rb
@@ -297,6 +297,7 @@ module Mauve
 
       attributes.each do |key, val|
         next if html_permitted_in.include?(key)
+        next unless attribute_dirty?(key)
         next unless val.is_a?(String)
 
         attribute_set(key, Alert.remove_html(val))
@@ -304,6 +305,7 @@ module Mauve
 
       attributes.each do |key, val|
         next unless html_permitted_in.include?(key)
+        next unless attribute_dirty?(key)
         next unless val.is_a?(String)
 
         attribute_set(key, Alert.clean_html(val))
@@ -607,29 +609,31 @@ module Mauve
     end
  
     class << self
-    
-      # Removes HTML from a string
+
+      # Removes or cleans HTML from a string
       #
-      # @param [String] txt String to clean
+      #
+      # @param  [String] str   String to clean
+      # @param  [Hash]   conf  Sanitize::Config thingy
       # @return [String]
-      def remove_html(txt)
-        Sanitize.clean(
-          txt.to_s,
-          Sanitize::Config::DEFAULT
-        )
+      def remove_html(str, conf = Sanitize::Config::DEFAULT)
+        raise ArgumentError, "Expected a string, got a #{str.class}" unless str.is_a?(String)
+
+        if str =~ /<[^0-9 <&.-]/
+          Sanitize.clean( str, conf )
+        else
+          str
+        end
       end
 
       # Cleans HTML in a string, removing dangerous elements/contents.
       #
-      # @param [String] txt String to clean
+      # @param  [String] str String to clean
       # @return [String]
-      def clean_html(txt)
-        Sanitize.clean(
-          txt.to_s,
-         Sanitize::Config::RELAXED.merge({:remove_contents => true})
-        )
+      def clean_html(str)
+        remove_html(str, Sanitize::Config::RELAXED.merge({:remove_contents => true}))
       end
-    
+
       # All alerts currently raised
       #
       # @return [Array]
@@ -725,7 +729,7 @@ module Mauve
         # Make sure there is no HTML in the update source.  Need to do this
         # here because we use the html-free version in the database save hook. 
         #
-        update.source = Alert.remove_html(update.source)
+        update.source = Alert.remove_html(update.source.to_s)
 
         # Update each alert supplied
         #
@@ -749,7 +753,7 @@ module Mauve
           # because of the database save hook will clear it out, causing this
           # search to fail.
           #
-          alert.id = Alert.remove_html(alert.id)
+          alert.id = Alert.remove_html(alert.id.to_s)
  
           alert_db = first(:alert_id => alert.id, :source => update.source) ||
             new(:alert_id => alert.id, :source => update.source)
-- 
cgit v1.2.1