From a10f30077b9c6e4923a96c2f780bf8330d1b370f Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Wed, 15 Jul 2015 13:30:42 -0700
Subject: [PATCH] fixes #2433: Automatic commentary copier doesn't account for
 html

---
 app/controllers/uploads_controller.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 6b4c2ef00..c0eca7f2b 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -74,11 +74,15 @@ class UploadsController < ApplicationController
 protected
   def extract_artist_commentary(upload, data)
     if data[:artist_commentary_desc]
-      upload.artist_commentary_title = data[:artist_commentary_title]
-      upload.artist_commentary_desc = data[:artist_commentary_desc]
+      upload.artist_commentary_title = strip_tags(data[:artist_commentary_title])
+      upload.artist_commentary_desc = strip_tags(data[:artist_commentary_desc])
     end
   end
 
+  def strip_tags(s)
+    HTML::FullSanitizer.new.sanitize(s)
+  end
+
   def find_post_by_url(normalized_url)
     if normalized_url.nil?
       Post.where(source: params[:url]).first