From 2f724aa23e58baf1b53e95093c942393f4dcaf99 Mon Sep 17 00:00:00 2001
From: yanxd <sxty32@hotmail.com>
Date: Tue, 17 Jun 2014 11:41:00 +0800
Subject: [PATCH] =?UTF-8?q?xss=20=E8=BF=87=E6=BB=A4memo=20content=E4=B8=AD?=
 =?UTF-8?q?=E7=9A=84=E6=A0=87=E7=AD=BE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/views/memos/show.html.erb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/views/memos/show.html.erb b/app/views/memos/show.html.erb
index 5ffcedacc..1252483d2 100644
--- a/app/views/memos/show.html.erb
+++ b/app/views/memos/show.html.erb
@@ -48,13 +48,14 @@
 
 		<div class="memo-title <%= @memo.sticky ? 'sticky' : '' %> <%= @memo.locked? ? 'locked' : '' %>"><%= label_tag l(:field_subject) %>: <%=h @memo.subject %></div>
 		<div class="memo-content">
-			<%= raw @memo.content %>
+		<%=h sanitize(@memo.content.html_safe) %>
 			<p>							
 				<% if @memo.attachments.any?%>
 				<% options = {:author => true, :deletable => @memo.deleted_attach_able_by?(User.current) } %>
 				<%= render :partial => 'attachments/links', :locals => {:attachments => @memo.attachments, :options => options} %>
 				<% end %>
 			</p>
+			<div class="clearfix"></div>
 		</div>
 		<div class="memo-timestamp"> <%= authoring @memo.created_at, @memo.author.name %></div>