Sanitizing descriptions before saving a record has a few drawbacks:
1. It makes the application rely on data being safe in the database. If
somehow dangerous data enters the database, the application will be
vulnerable to XSS attacks
2. It makes the code complicated
3. It isn't backwards compatible; if we decide to disallow a certain
HTML tag in the future, we'd need to sanitize existing data.
On the other hand, sanitizing the data in the view means we don't need
to triple-check dangerous HTML has already been stripped when we see the
method `auto_link_already_sanitized_html`, since now every time we use
it we sanitize the text in the same line we call this method.
We could also sanitize the data twice, both when saving to the database
and when displaying values in the view. However, doing so wouldn't make
the application safer, since we sanitize text introduced through
textarea fields but we don't sanitize text introduced through input
fields.
Finally, we could also overwrite the `description` method so it
sanitizes the text. But we're already introducing Globalize which
overwrites that method, and overwriting it again is a bit too confusing
in my humble opinion. It can also lead to hard-to-debug behaviour.
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.
However, some translations added by admins to the database or through
crowdin are not entirely under our control.
Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
The name `safe_html_with_links` was confusing and could make you think
it takes care of making the HTML safe. So I've renamed it in a way that
makes it a bit more intuitive that it expects its input to be already
sanitized.
I've changed `text_with_links` as well so now the two method names
complement each other.
Banners were not been shown in certain pages; now
they are.
Spec to check if the banner is been shown correctly
added. Before it was in admins specs, now it has it's
own spec out of admins folder.
When there are no budgets we were seeing an exception in the budgets’
index
There are two parts to take into account here:
1) Making sure there is a current_budget present, otherwise we display
the “no budgets” message
2) The map helper is called from the controller, so we need to make
sure current_budget is present there too
Note: We could have added a bunch of `try` statements in the budgets’s
index, instead of using a conditional, however there are quite a few
`current_budget` calls so it seems more appropriate to use a conditional
Clear instance variable names help understand what's going around when
you're deep 2 or 3 partials. In this case @budget is only used to carry
around the current_budget so @current_budget is more descriptive.
Using `current_budget` directly around would be an alternative, but
maybe not as maintainable in case we want to change which budget is
being shown (for example the drafting one if you're admin).
We only need finished budget's at budget's index "Finished budgets"
section. So we add the `finished` scope to @budgets variable, and rename
it so its clear what it contains.
Also avoid showing the "Finished budgets" section if there is none
During a Participatory Budget, some users are getting confused and
creating a proposal instead of a budget investment. This intermediate
page should help them create investments
Adding a feature flag just in case other forks don’t need this feature
and setting seeds and dev_seeds for appropriate initial setup
