consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
6b1864fbcd4e588373d928596f6fc1ffff7ec00d
grecia/app/views/budgets/show.html.erb
Javi Martín 928312e218 Use sanitize in translations with links 
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.

However, some translations added by admins to the database or through
crowdin are not entirely under our control.

Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
2019-10-08 18:46:21 +02:00

105 lines
3.5 KiB
Plaintext
Raw Blame History

<% content_for :canonical do %>
<%= render "shared/canonical", href: budget_url(@budget, filter: @current_filter) %>
<% end %>
<div class="expanded budget no-margin-top">
<div class="row" data-equalizer data-equalizer-on="medium">
<div class="small-12 medium-9 column padding" data-equalizer-watch>
<%= back_link_to budgets_path %>
<h1><%= @budget.name %></h1>
<%= auto_link_already_sanitized_html(@budget.description) %>
</div>
<div class="small-12 medium-3 column info padding" data-equalizer-watch>
<p>
<strong><%= t("budgets.show.phase") %></strong>
</p>
<h2><%= t("budgets.phase.#{@budget.phase}") %></h2>
<% if @budget.accepting? %>
<% if current_user %>
<% if current_user.level_two_or_three_verified? %>
<%= link_to t("budgets.investments.index.sidebar.create"), new_budget_investment_path(@budget), class: "button margin-top expanded" %>
<% else %>
<div class="callout warning margin-top">
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% else %>
<div class="callout primary margin-top">
<%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</div>
<% end %>
<% end %>
<% if can?(:read_results, @budget) %>
<%= link_to t("budgets.show.see_results"),
budget_results_path(@budget),
class: "button margin-top expanded" %>
<% end %>
</div>
</div>
</div>
<div class="row margin">
<div class="small-12 medium-9 column">
<% if @current_filter == "unfeasible" %>
<h3 class="margin-bottom"><%= t("budgets.show.unfeasible_title") %></h3>
<% elsif @current_filter == "unselected" %>
<h3 class="margin-bottom"><%= t("budgets.show.unselected_title") %></h3>
<% end %>
<table class="table-fixed">
<thead>
<th><%= t("budgets.show.group") %></th>
</thead>
<tbody>
<% @budget.groups.each do |group| %>
<tr>
<td>
<% if group.single_heading_group? %>
<%= link_to group.name,
budget_investments_path(@budget,
heading_id: group.headings.first.id,
filter: @current_filter),
data: { no_turbolink: true } %>
<% else %>
<%= link_to group.name,
budget_group_path(@budget, group,
filter: @current_filter) %>
<% end %>
<br>
</td>
</tr>
<% end %>
</tbody>
</table>
</div>
</div>
<% if @budget.balloting_or_later? %>
<% unless @current_filter == "unfeasible" %>
<div class="row">
<div class="small-12 column">
<small>
<%= link_to t("budgets.show.unfeasible"),
budget_path(@budget, filter: "unfeasible") %>
</small>
</div>
</div>
<% end %>
<% unless @current_filter == "unselected" %>
<div class="row">
<div class="small-12 column">
<small>
<%= link_to t("budgets.show.unselected"),
budget_path(@budget, filter: "unselected") %>
</small>
</div>
</div>
<% end %>
<% end %>
Reference in New Issue View Git Blame Copy Permalink