consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b31f853bc6ad15cb479e958a1ea2acbcf53d5012
grecia/app/views/budgets/investments/_sidebar.html.erb
Javi Martín 6b1864fbcd Sanitize translations instead of using _html 
Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.
2019-10-09 19:46:47 +02:00

78 lines
2.7 KiB
Plaintext
Raw Blame History

<div class="clear"></div>
<% if can?(:create, Budget::Investment.new(budget: @budget)) %>
<% if current_user && current_user.level_two_or_three_verified? %>
<%= link_to t("budgets.investments.index.sidebar.create"),
new_budget_investment_path(budget_id: @budget.id), class: "button budget expanded" %>
<% else %>
<div class="callout warning">
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% end %>
<% if @heading && can?(:show, @ballot) %>
<p class="callout">
<%= sanitize(t("budgets.investments.index.sidebar.voted_info",
link: link_to(t("budgets.investments.index.sidebar.voted_info_link"),
budget_ballot_path(@budget)))) %>
</p>
<% end %>
<% if @heading && !@heading.content_blocks.where(locale: I18n.locale).empty? %>
<%= render "budgets/investments/content_blocks" %>
<% end %>
<% if @map_location&.available? %>
<%= render "budgets/investments/map" %>
<% end %>
<%= render "shared/tag_cloud", taggable: "budget/investment" %>
<%= render "budgets/investments/categories" %>
<% if @heading && can?(:show, @ballot) %>
<div class="sidebar-divider"></div>
<h2 class="sidebar-title">
<%= t("budgets.investments.index.sidebar.my_ballot") %>
</h2>
<% if @ballot.investments.by_heading(@heading.id).count > 0 %>
<p>
<em>
<%= sanitize(t("budgets.investments.index.sidebar.voted",
count: @ballot.investments.by_heading(@heading.id).count,
amount_spent: @ballot.formatted_amount_spent(@heading))) %>
</em>
</p>
<% elsif @assigned_heading.present? %>
<p>
<%= sanitize(t("budgets.investments.index.sidebar.different_heading_assigned",
heading_link: heading_link(@assigned_heading, @budget)
)) %>
<br>
<small>
<%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
check_ballot: link_to(t("budgets.investments.index.sidebar.check_ballot_link"),
budget_ballot_path(@budget)))) %>
</small>
</p>
<% else %>
<p><strong><%= t("budgets.investments.index.sidebar.zero") %></strong></p>
<% end %>
<ul class="ballot-list">
<% if @heading %>
<% @ballot.investments.by_heading(@heading.id).each do |investment| %>
<%= render "budgets/ballot/investment_for_sidebar",
investment: investment,
investment_ids: @investment_ids %>
<% end %>
<% end %>
</ul>
<%= link_to t("budgets.investments.header.check_ballot"),
budget_ballot_path(@budget),
class: "button hollow expanded" %>
<% end %>
Reference in New Issue View Git Blame Copy Permalink