From 2f724aa23e58baf1b53e95093c942393f4dcaf99 Mon Sep 17 00:00:00 2001
From: yanxd <sxty32@hotmail.com>
Date: Tue, 17 Jun 2014 11:41:00 +0800
Subject: [PATCH 1/2] =?UTF-8?q?xss=20=E8=BF=87=E6=BB=A4memo=20content?=
 =?UTF-8?q?=E4=B8=AD=E7=9A=84=E6=A0=87=E7=AD=BE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/views/memos/show.html.erb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/views/memos/show.html.erb b/app/views/memos/show.html.erb
index 5ffcedacc..1252483d2 100644
--- a/app/views/memos/show.html.erb
+++ b/app/views/memos/show.html.erb
@@ -48,13 +48,14 @@
 
 		<div class="memo-title <%= @memo.sticky ? 'sticky' : '' %> <%= @memo.locked? ? 'locked' : '' %>"><%= label_tag l(:field_subject) %>: <%=h @memo.subject %></div>
 		<div class="memo-content">
-			<%= raw @memo.content %>
+		<%=h sanitize(@memo.content.html_safe) %>
 			<p>							
 				<% if @memo.attachments.any?%>
 				<% options = {:author => true, :deletable => @memo.deleted_attach_able_by?(User.current) } %>
 				<%= render :partial => 'attachments/links', :locals => {:attachments => @memo.attachments, :options => options} %>
 				<% end %>
 			</p>
+			<div class="clearfix"></div>
 		</div>
 		<div class="memo-timestamp"> <%= authoring @memo.created_at, @memo.author.name %></div>
 

From b76f1c2b12ae33af963516faa07abcc7332d205b Mon Sep 17 00:00:00 2001
From: yanxd <sxty32@hotmail.com>
Date: Tue, 17 Jun 2014 15:16:17 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E7=AE=A1=E7=90=86=E5=91=98=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E7=B2=89=E4=B8=9D=E5=88=97=E8=A1=A8=E5=87=BA=E9=94=99?=
 =?UTF-8?q?=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/views/users/user_fanslist.html.erb | 103 +++++++++++++------------
 1 file changed, 55 insertions(+), 48 deletions(-)

diff --git a/app/views/users/user_fanslist.html.erb b/app/views/users/user_fanslist.html.erb
index 3247c67ab..fb1a6d0dc 100644
--- a/app/views/users/user_fanslist.html.erb
+++ b/app/views/users/user_fanslist.html.erb
@@ -1,51 +1,58 @@
 <!--add by huang-->
-<h3><%= l(:label_x_user_fans, :count => User.current.watcher_users(User.current.id).count)%></h3>
+<h3><%= l(:label_x_user_fans, :count => User.current.watcher_users(User.current.id).count) %></h3>
 <div class="inf_user_image">
-	<% for user in @user.watcher_users %>
-	<ul class="list_watch"><li>
-<table width="660px" border="0" align="center">
-  <tr>
-    <td colspan="2" valign="top" width="50" ><%= link_to image_tag(url_to_avatar(user), :class => "avatar"), 
-                                                                                        user_path(user), 
-                                                                                        :title => "#{user.name}" %></td>   
-     <td><table width="580px" border="0">
-      <tr>  <!-- modified by bai -->
-        <td colspan="2" valign="top"><strong><%= content_tag "div", link_to(user.name,user_path(user)), :class => "project_avatar_name" %>
-        </td>
-        </tr>
-      
-      	<tr>
-      	<!-- added by bai 区分了个人列表里的项目与课程 -->
-         <td colspan="2" width="580px" ><p class="font_description">
-			<% unless user.memberships.empty? %>
-			<% cond = Project.visible_condition(User.current) + "AND projects.project_type <> 1" %>
-			<% memberships = user.memberships.all(:conditions => cond) %>
-			<%= l(:label_x_contribute_to, :count => memberships.count) %>
-			<% for member in memberships %>
-			<%= link_to_project(member.project) %><%= (user.memberships.last == member) ? '' : '，' %>
-			<% end %>
-			<% end %>
-		 </p>
-		 <p class="font_description">
-			<% unless user.memberships.empty? %>
-			<% cond = Project.visible_condition(User.current) + "AND projects.project_type = 1" %>
-			<% memberships = user.memberships.all(:conditions => cond) %>
-			<%= l(:label_x_course_contribute_to, :count => memberships.count) %>
-			<% for member in memberships %>
-			<%= link_to_project(member.project) %><%= (user.memberships.last == member) ? '' : '，' %>
-			<% end %>
-			<% end %>
-		  </p>
-		 </td>
-        </tr>
-       <!-- end -->
-       
-      <tr>        
-        <td width="200" align="right" class="font_lighter"><%= l(:label_user_joinin) %><%= format_date(user.created_on) %>
-        </td>
-      </tr>
-    </table></td>
-  </tr>
-</table></li></ul>
-<% end %>
+  <% for user in @user.watcher_users %>
+      <ul class="list_watch">
+        <li>
+          <table width="660px" border="0" align="center">
+            <tr>
+              <td colspan="2" valign="top" width="50"><%= link_to image_tag(url_to_avatar(user), :class => "avatar"),
+                                                                  user_path(user),
+                                                                  :title => "#{user.name}" %></td>
+              <td>
+                <table width="580px" border="0">
+                  <tr>  <!-- modified by bai -->
+                    <td colspan="2" valign="top">
+                      <strong><%= content_tag "div", link_to(user.name, user_path(user)), :class => "project_avatar_name" %></strong>
+                    </td>
+                  </tr>
+
+                  <tr>
+                    <!-- added by bai 区分了个人列表里的项目与课程 -->
+                    <td colspan="2" width="580px"><p class="font_description">
+                      <% unless user.memberships.empty? %>
+                          <% cond = Project.visible_condition(User.current) + " AND projects.project_type <> 1" %>
+                          <% memberships = user.memberships.all(:conditions => cond) %>
+                          <%= l(:label_x_contribute_to, :count => memberships.count) %>
+                          <% for member in memberships %>
+                              <%= link_to_project(member.project) %><%= (user.memberships.last == member) ? '' : '，' %>
+                          <% end %>
+                      <% end %>
+                    </p>
+
+                      <p class="font_description">
+                        <% unless user.memberships.empty? %>
+                            <% cond = Project.visible_condition(User.current) + " AND projects.project_type = 1" %>
+                            <% memberships = user.memberships.all(:conditions => cond) %>
+                            <%= l(:label_x_course_contribute_to, :count => memberships.count) %>
+                            <% for member in memberships %>
+                                <%= link_to_project(member.project) %><%= (user.memberships.last == member) ? '' : '，' %>
+                            <% end %>
+                        <% end %>
+                      </p>
+                    </td>
+                  </tr>
+                  <!-- end -->
+
+                  <tr>
+                    <td width="200" align="right" class="font_lighter"><%= l(:label_user_joinin) %><%= format_date(user.created_on) %>
+                    </td>
+                  </tr>
+                </table>
+              </td>
+            </tr>
+          </table>
+        </li>
+      </ul>
+  <% end %>
 </div>
\ No newline at end of file