consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b31f853bc6ad15cb479e958a1ea2acbcf53d5012
grecia/app/views/legislation/annotations/_comments_box.html.erb
Javi Martín 928312e218 Use sanitize in translations with links 
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.

However, some translations added by admins to the database or through
crowdin are not entirely under our control.

Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
2019-10-08 18:46:21 +02:00

49 lines
2.0 KiB
Plaintext
Raw Blame History

<div class="comment-box" id="comments-box-<%= annotation.id %>">
<div class="comment-header">
<%= render "comment_header", annotation: annotation %>
</div>
<div class="comments-wrapper">
<div id="comments">
<%= render "comments", annotation: annotation %>
</div>
</div>
<div class="comment-footer">
<% if annotation.comments.roots.count > Legislation::Annotation::COMMENTS_PAGE_SIZE %>
<%= link_to legislation_process_draft_version_annotation_path(annotation.draft_version.process, annotation.draft_version, annotation), class: "button" do %>
<strong><%= t("legislation.annotations.comments.see_all") %></strong>
<% end %>
<% end %>
<% if @process.allegations_phase.open? %>
<a class="button publish-comment" href="#"><strong><%= t("legislation.annotations.comments.publish_comment") %></strong></a>
&nbsp;
<% end %>
<% if @process.allegations_phase.open? %>
<% if user_signed_in? %>
<% css_id = parent_or_commentable_dom_id(nil, annotation) %>
<div id="js-comment-form-annotation-<%= annotation.id %>" style="display:none" class="comment-form js-comment-form-annotation">
<%= form_for @comment, url: legislation_process_draft_version_annotation_new_comment_path(annotation.draft_version.process, annotation.draft_version, annotation), remote: true do |f| %>
<%= f.text_area :body,
id: "comment-body-#{css_id}",
maxlength: Comment.body_max_length,
label: leave_comment_text(annotation),
rows: 8 %>
<%= f.submit comment_button_text(nil, annotation), class: "button" %>
<% end %>
</div>
<% else %>
<div>
<div class="participation-not-allowed" style="display: none;" aria-hidden="false">
<%= sanitize(t("users.login_to_comment",
signin: link_to_signin, signup: link_to_signup)) %>
</div>
</div>
<% end %>
<% end %>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink