consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #3747 from consul/html_safe

Browse Source 
Sanitize texts instead of using html_safe
This commit is contained in:
Javier Martín
2019-10-08 19:54:18 +02:00
committed by GitHub
parent 2c80c05372 391f58eb90
commit 8b2acc1e0a
129 changed files with 362 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.erb-lint.yml
View File

@@ -1,5 +1,7 @@
---
linters:
ErbSafety:
enabled: true
ExtraNewline:
enabled: true
FinalNewline:

6
.rubocop_basic.yml
View File

@@ -160,6 +160,12 @@ Rails/Date:
Rails/HttpPositionalArguments:
Enabled: true
Rails/OutputSafety:
Enabled: true
Severity: warning
Exclude:
- app/helpers/text_with_links_helper.rb
Rails/PluralizationGrammar:
Enabled: true

2
Gemfile.lock
View File

@@ -313,7 +313,7 @@ GEM
actionmailer (>= 3.2)
letter_opener (~> 1.0)
railties (>= 3.2)
loofah (2.3.0)
loofah (2.2.3)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
mail (2.7.1)

4
app/controllers/admin/legislation/draft_versions_controller.rb
View File

@@ -10,7 +10,7 @@ class Admin::Legislation::DraftVersionsController < Admin::Legislation::BaseCont
def create
if @draft_version.save
link = legislation_process_draft_version_path(@process, @draft_version).html_safe
link = legislation_process_draft_version_path(@process, @draft_version)
notice = t("admin.legislation.draft_versions.create.notice", link: link)
redirect_to admin_legislation_process_draft_versions_path, notice: notice
else
@@ -21,7 +21,7 @@ class Admin::Legislation::DraftVersionsController < Admin::Legislation::BaseCont
def update
if @draft_version.update(draft_version_params)
link = legislation_process_draft_version_path(@process, @draft_version).html_safe
link = legislation_process_draft_version_path(@process, @draft_version)
notice = t("admin.legislation.draft_versions.update.notice", link: link)
edit_path = edit_admin_legislation_process_draft_version_path(@process, @draft_version)
redirect_to edit_path, notice: notice

2
app/controllers/admin/legislation/homepages_controller.rb
View File

@@ -8,7 +8,7 @@ class Admin::Legislation::HomepagesController < Admin::Legislation::BaseControll
def update
if @process.update(process_params)
link = legislation_process_path(@process).html_safe
link = legislation_process_path(@process)
redirect_back(fallback_location: (request.referer || root_path),
notice: t("admin.legislation.processes.update.notice", link: link))
else

4
app/controllers/admin/legislation/processes_controller.rb
View File

@@ -23,7 +23,7 @@ class Admin::Legislation::ProcessesController < Admin::Legislation::BaseControll
def create
if @process.save
link = legislation_process_path(@process).html_safe
link = legislation_process_path(@process)
notice = t("admin.legislation.processes.create.notice", link: link)
redirect_to edit_admin_legislation_process_path(@process), notice: notice
else
@@ -36,7 +36,7 @@ class Admin::Legislation::ProcessesController < Admin::Legislation::BaseControll
if @process.update(process_params)
set_tag_list
link = legislation_process_path(@process).html_safe
link = legislation_process_path(@process)
redirect_back(fallback_location: (request.referer || root_path),
notice: t("admin.legislation.processes.update.notice", link: link))
else

2
app/controllers/admin/legislation/questions_controller.rb
View File

@@ -41,7 +41,7 @@ class Admin::Legislation::QuestionsController < Admin::Legislation::BaseControll
private
def question_path
legislation_process_question_path(@process, @question).html_safe
legislation_process_question_path(@process, @question)
end
def question_params

2
app/controllers/direct_uploads_controller.rb
View File

@@ -17,7 +17,7 @@ class DirectUploadsController < ApplicationController
render json: { cached_attachment: @direct_upload.relation.cached_attachment,
filename: @direct_upload.relation.attachment.original_filename,
destroy_link: render_destroy_upload_link(@direct_upload).html_safe,
destroy_link: render_destroy_upload_link(@direct_upload),
attachment_url: @direct_upload.relation.attachment.url }
else
@direct_upload.destroy_attachment

3
app/helpers/application_helper.rb
View File

@@ -32,7 +32,8 @@ module ApplicationHelper
strikethrough: true,
superscript: true
}
Redcarpet::Markdown.new(renderer, extensions).render(text).html_safe
sanitize(Redcarpet::Markdown.new(renderer, extensions).render(text))
end
def author_of?(authorable, user)

2
app/helpers/budget_investments_helper.rb
View File

@@ -10,7 +10,7 @@ module BudgetInvestmentsHelper
translation = t("admin.budget_investments.index.list.#{column}")
link_to(
"#{translation} <span class='icon-sortable #{icon}'></span>".html_safe,
safe_join([translation, content_tag(:span, "", class: "icon-sortable #{icon}")]),
admin_budget_budget_investments_path(sort_by: column, direction: direction)
)
end

11
app/helpers/documents_helper.rb
View File

@@ -50,10 +50,11 @@ module DocumentsHelper
end
def document_item_link(document)
link_to "#{document.title} <small>(#{document.humanized_content_type} | \
#{number_to_human_size(document.attachment_file_size)}</small>)".html_safe,
document.attachment.url,
target: "_blank",
title: t("shared.target_blank_html")
info_text = "#{document.humanized_content_type} | #{number_to_human_size(document.attachment_file_size)}"
link_to safe_join([document.title, content_tag(:small, "(#{info_text})")], " "),
document.attachment.url,
target: "_blank",
title: t("shared.target_blank")
end
end

4
app/helpers/proposals_dashboard_helper.rb
View File

@@ -65,7 +65,7 @@ module ProposalsDashboardHelper
supports: number_with_delimiter(resource.required_supports,
delimiter: ".")) if resource.required_supports > 0
label.join(" #{t("dashboard.resource.and")}<br>")
safe_join label, h(" #{t("dashboard.resource.and")})") + tag(:br)
end
def daily_selected_class
@@ -97,7 +97,7 @@ module ProposalsDashboardHelper
end
def proposed_action_description(proposed_action)
raw proposed_action.description.truncate(200)
sanitize proposed_action.description.truncate(200)
end
def proposed_action_long_description?(proposed_action)

4
app/helpers/signature_sheets_helper.rb
View File

@@ -24,10 +24,10 @@ module SignatureSheetsHelper
text_help += t("admin.signature_sheets.new.text_help.postal_code_note")
end
text_help += "<br/>"
text_help += tag(:br)
text_help += t("admin.signature_sheets.new.text_help.required_fields_structure_note")
return text_help.html_safe
return text_help
end
def example_text_help

12
app/helpers/text_with_links_helper.rb
View File

@@ -1,16 +1,16 @@
module TextWithLinksHelper
def text_with_links(text)
def sanitize_and_auto_link(text)
return unless text
sanitized = sanitize(text, tags: [], attributes: [])
Rinku.auto_link(sanitized, :all, 'target="_blank" rel="nofollow"').html_safe
auto_link_already_sanitized_html(sanitized)
end
def safe_html_with_links(html)
def auto_link_already_sanitized_html(html)
return if html.nil?
html = ActiveSupport::SafeBuffer.new(html) if html.is_a?(String)
return html.html_safe unless html.html_safe?
Rinku.auto_link(html, :all, 'target="_blank" rel="nofollow"').html_safe
raise "Could not add links because the content is not safe" unless html.html_safe?
raw Rinku.auto_link(html, :all, 'target="_blank" rel="nofollow"')
end
def simple_format_no_tags_no_sanitize(html)

4
app/helpers/translatable_form_helper.rb
View File

@@ -26,9 +26,9 @@ module TranslatableFormHelper
visible_locales.map do |locale|
@translations[locale] = translation_for(locale)
end
visible_locales.map do |locale|
safe_join(visible_locales.map do |locale|
Globalize.with_locale(locale) { fields_for_locale(locale, &block) }
end.join.html_safe
end)
end
private

2
app/helpers/valuation_helper.rb
View File

@@ -14,7 +14,7 @@ module ValuationHelper
end
def explanation_field(field)
simple_format_no_tags_no_sanitize(safe_html_with_links(field.html_safe)) if field.present?
simple_format_no_tags_no_sanitize(sanitize_and_auto_link(field)) if field.present?
end
end

2
app/views/admin/budget_investments/_select_investment.html.erb
View File

@@ -31,7 +31,7 @@
<td class="small" data-field="valuator">
<% valuators = [investment.assigned_valuation_groups, investment.assigned_valuators].compact %>
<% no_valuators_assigned = t("admin.budget_investments.index.no_valuators_assigned") %>
<%= raw valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
<%= valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
</td>
<td class="small" data-field="geozone">

2
app/views/admin/budget_investments/_written_by_author.html.erb
View File

@@ -55,6 +55,6 @@
<% if @investment.external_url.present? %>
<p>
<%= text_with_links @investment.external_url %>&nbsp;<span class="icon-external small"></span>
<%= sanitize_and_auto_link @investment.external_url %>&nbsp;<span class="icon-external small"></span>
</p>
<% end %>

2
app/views/admin/debates/show.html.erb
View File

@@ -25,7 +25,7 @@
</span>
</div>
<%= safe_html_with_links @debate.description %>
<%= auto_link_already_sanitized_html @debate.description %>
<h3><%= t("votes.supports") %></h3>

2
app/views/admin/hidden_comments/index.html.erb
View File

@@ -15,7 +15,7 @@
<% @comments.each do |comment| %>
<tr id="<%= dom_id(comment) %>">
<td>
<%= text_with_links comment.body %><br>
<%= sanitize_and_auto_link comment.body %><br>
<% if comment.commentable.hidden? %>
(<%= t("admin.hidden_comments.index.hidden_#{comment.commentable_type.downcase}") %>: <%= comment.commentable.title %>)
<% else %>

2
app/views/admin/hidden_proposals/index.html.erb
View File

@@ -23,7 +23,7 @@
<p><small><%= proposal.summary %></small></p>
<%= proposal.description %>
<% if proposal.video_url.present? %>
<p><%= text_with_links proposal.video_url %></p>
<p><%= sanitize_and_auto_link proposal.video_url %></p>
<% end %>
</div>
</td>

2
app/views/admin/hidden_users/show.html.erb
View File

@@ -30,7 +30,7 @@
<% @comments.each do |comment| %>
<tr id="<%= dom_id(comment) %>">
<td>
<%= text_with_links comment.body %>
<%= sanitize_and_auto_link comment.body %>
</td>
</tr>
<% end %>

4
app/views/admin/site_customization/content_blocks/index.html.erb
View File

@@ -32,7 +32,7 @@
<% @content_blocks.each do |content_block| %>
<tr id="<%= dom_id(content_block) %>">
<td><%= link_to "#{content_block.name} (#{content_block.locale})", edit_admin_site_customization_content_block_path(content_block) %></td>
<td><%= content_block.body.html_safe %></td>
<td><%= raw content_block.body %></td>
<td>
<%= link_to t("admin.site_customization.content_blocks.index.delete"),
admin_site_customization_content_block_path(content_block),
@@ -43,7 +43,7 @@
<% @headings_content_blocks.each do |content_block| %>
<tr id="<%= dom_id(content_block) %>">
<td><%= link_to "#{content_block.heading.name} (#{content_block.locale})", admin_site_customization_edit_heading_content_block_path(content_block) %></td>
<td><%= content_block.body.html_safe %></td>
<td><%= raw content_block.body %></td>
<td>
<%= link_to t("admin.site_customization.content_blocks.index.delete"),
admin_site_customization_delete_heading_content_block_path(content_block.id),

2
app/views/budgets/_phases.html.erb
View File

@@ -7,7 +7,7 @@
-
<%= l(phase.ends_at.to_date - 1.day, format: :long) if phase.ends_at.present? %>
</span>
<p><%= safe_html_with_links(phase.summary) %></p>
<p><%= auto_link_already_sanitized_html(WYSIWYGSanitizer.new.sanitize(phase.summary)) %></p>
</li>
<% end %>
</ul>

6
app/views/budgets/ballot/_ballot.html.erb
View File

@@ -10,7 +10,7 @@
count: @ballot.investments.count) %>
</h2>
<p class="confirmed">
<%= t("budgets.ballots.show.voted_info_html") %>
<%= t("budgets.ballots.show.voted_info") %>
<p>
<p><%= t("budgets.ballots.show.voted_info_2") %></p>
</div>
@@ -26,8 +26,8 @@
<h3>
<%= group.name %> - <%= @ballot.heading_for_group(group).name %>
</h3>
<%= link_to t("budgets.ballots.show.remaining",
amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group))).html_safe,
<%= link_to sanitize(t("budgets.ballots.show.remaining",
amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group)))),
budget_group_path(@budget, group) %>
</div>
<% if @ballot.has_lines_in_group?(group) %>

10
app/views/budgets/index.html.erb
View File

@@ -15,7 +15,7 @@
<h1><%= current_budget.name %></h1>
<div class="description">
<%= safe_html_with_links(current_budget.description) %>
<%= auto_link_already_sanitized_html(current_budget.description) %>
</div>
<p>
<%= link_to t("budgets.index.section_header.help"), "#section_help" %>
@@ -37,14 +37,14 @@
class: "button margin-top expanded" %>
<% else %>
<div class="callout warning margin-top">
<%= t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% else %>
<div class="callout primary margin-top">
<%= t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</div>
<% end %>
<% end %>

4
app/views/budgets/investments/_ballot.html.erb
View File

@@ -51,11 +51,11 @@
<p>
<small>
<%= t("budgets.ballots.reasons_for_not_balloting.#{reason}",
<%= sanitize(t("budgets.ballots.reasons_for_not_balloting.#{reason}",
verify_account: link_to_verify_account, signin: link_to_signin,
signup: link_to_signup, my_heading: my_heading,
change_ballot: change_ballot,
heading_link: heading_link(@assigned_heading, @budget)).html_safe %>
heading_link: heading_link(@assigned_heading, @budget))) %>
</small>
</p>
</div>

3
app/views/budgets/investments/_form.html.erb
View File

@@ -93,7 +93,8 @@
title: t("form.accept_terms_title"),
label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")).html_safe %>
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
) %>
</div>
<% end %>

4
app/views/budgets/investments/_header.html.erb
View File

@@ -40,9 +40,9 @@
heading_link: heading_link(@assigned_heading, @budget)) %>
<br>
<small>
<%= t("budgets.investments.header.change_ballot",
<%= sanitize(t("budgets.investments.header.change_ballot",
check_ballot: link_to(t("budgets.investments.header.check_ballot_link"),
budget_ballot_path(@budget))).html_safe %>
budget_ballot_path(@budget)))) %>
</small>
</div>
</div>

4
app/views/budgets/investments/_investment_detail.erb
View File

@@ -22,7 +22,7 @@
<%= t("budgets.investments.show.code_html", code: investment.id) %>
</p>
<%= safe_html_with_links investment.description.html_safe %>
<%= auto_link_already_sanitized_html investment.description %>
<% if feature?(:map) && map_location_available?(@investment.map_location) %>
<div class="margin">
@@ -52,7 +52,7 @@
<% if investment.external_url.present? %>
<div class="document-link">
<%= text_with_links investment.external_url %>
<%= sanitize_and_auto_link investment.external_url %>
</div>
<% end %>

12
app/views/budgets/investments/_sidebar.html.erb
View File

@@ -6,17 +6,17 @@
new_budget_investment_path(budget_id: @budget.id), class: "button budget expanded" %>
<% else %>
<div class="callout warning">
<%= t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% end %>
<% if @heading && can?(:show, @ballot) %>
<p class="callout">
<%= t("budgets.investments.index.sidebar.voted_info",
<%= sanitize(t("budgets.investments.index.sidebar.voted_info",
link: link_to(t("budgets.investments.index.sidebar.voted_info_link"),
budget_ballot_path(@budget))).html_safe %>
budget_ballot_path(@budget)))) %>
</p>
<% end %>
@@ -52,9 +52,9 @@
) %>
<br>
<small>
<%= t("budgets.investments.index.sidebar.change_ballot",
<%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
check_ballot: link_to(t("budgets.investments.index.sidebar.check_ballot_link"),
budget_ballot_path(@budget))).html_safe %>
budget_ballot_path(@budget)))) %>
</small>
</p>
<% else %>

4
app/views/budgets/investments/_votes.html.erb
View File

@@ -31,13 +31,13 @@
<div class="js-participation-not-allowed participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<small>
<%= t("votes.budget_investments.#{reason}",
<%= sanitize(t("votes.budget_investments.#{reason}",
count: investment.group.max_votable_headings,
verify_account: link_to_verify_account,
signin: link_to_signin,
signup: link_to_signup,
supported_headings: (current_user && current_user.headings_voted_within_group(investment.group).map(&:name).sort.to_sentence)
).html_safe %>
)) %>
</small>
</p>
</div>

10
app/views/budgets/show.html.erb
View File

@@ -9,7 +9,7 @@
<h1><%= @budget.name %></h1>
<%= safe_html_with_links(@budget.description) %>
<%= auto_link_already_sanitized_html(@budget.description) %>
</div>
<div class="small-12 medium-3 column info padding" data-equalizer-watch>
<p>
@@ -23,14 +23,14 @@
<%= link_to t("budgets.investments.index.sidebar.create"), new_budget_investment_path(@budget), class: "button margin-top expanded" %>
<% else %>
<div class="callout warning margin-top">
<%= t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% else %>
<div class="callout primary margin-top">
<%= t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</div>
<% end %>
<% end %>

2
app/views/comments/_comment.html.erb
View File

@@ -80,7 +80,7 @@
<div class="comment-user
<%= user_level_class comment %>
<%= comment_author_class comment, comment.commentable.author_id %>">
<%= simple_format text_with_links(comment.body), {}, sanitize: false %>
<%= simple_format sanitize_and_auto_link(comment.body), {}, sanitize: false %>
</div>
<div id="<%= dom_id(comment) %>_reply" class="reply">

2
app/views/comments/_comment_tree.html.erb
View File

@@ -24,7 +24,7 @@
<% elsif require_verified_resident_for_commentable?(commentable, current_user) %>
<br>
<div data-alert class="callout primary">
<%= t("comments.verified_only", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("comments.verified_only", verify_account: link_to_verify_account)) %>
</div>
<% elsif allow_comments %>
<%= render "comments/form", { commentable: commentable,

2
app/views/comments/_form.html.erb
View File

@@ -1,7 +1,7 @@
<% valuation = local_assigns.fetch(:valuation, false) %>
<% cache [locale_and_user_status, parent_id, commentable_cache_key(commentable), valuation] do %>
<% css_id = parent_or_commentable_dom_id(parent_id, commentable) %>
<div id="js-comment-form-<%= css_id %>" <%= "style='display:none'".html_safe if toggeable %> class="comment-form">
<div id="js-comment-form-<%= css_id %>" <%= raw("style='display:none'") if toggeable %> class="comment-form">
<%= form_for Comment.new, remote: true do |f| %>
<%= f.text_area :body,
id: "comment-body-#{css_id}",

4
app/views/comments/_votes.html.erb
View File

@@ -81,9 +81,7 @@
</div>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<%= t("votes.comment_unauthenticated",
signin: link_to_signin,
signup: link_to_signup).html_safe %>
<%= sanitize(t("votes.comment_unauthenticated", signin: link_to_signin, signup: link_to_signup)) %>
</div>
<% end %>
</div>

4
app/views/dashboard/_proposed_action.html.erb
View File

@@ -38,10 +38,10 @@
<small><%= t("dashboard.recommended_actions.show_description") %></small>
</a>
<div id="proposed_action_description_<%= dom_id(proposed_action) %>" class="hide" data-toggler=".hide">
<%= proposed_action.description.html_safe %>
<%= WYSIWYGSanitizer.new.sanitize(proposed_action.description) %>
</div>
<% else %>
<%= proposed_action.description.html_safe %>
<%= WYSIWYGSanitizer.new.sanitize(proposed_action.description) %>
<% end %>
<% end %>

2
app/views/dashboard/_resource.html.erb
View File

@@ -23,7 +23,7 @@
class: "button expanded" %>
<% else %>
<strong>
<%== resource_availability_label(resource) %>
<%= resource_availability_label(resource) %>
</strong>
<% end %>
</div>

2
app/views/dashboard/actions/new_request.html.erb
View File

@@ -2,7 +2,7 @@
<div class="row expanded">
<div class="small-12 medium-8 column">
<%== dashboard_action.description %>
<%= WYSIWYGSanitizer.new.sanitize(dashboard_action.description) %>
<%= render "dashboard/form" %>
</div>

2
app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
View File

@@ -6,7 +6,7 @@
<p>
<%= t("mailers.new_actions_notification_on_create.text_1") %>
<br>
<%= t("mailers.new_actions_notification_on_create.text_2", link: proposal_dashboard_url(@proposal)).html_safe %>
<%= sanitize(t("mailers.new_actions_notification_on_create.text_2", link: proposal_dashboard_url(@proposal))) %>
</p>
<p><%= t("mailers.new_actions_notification_on_create.text_3") %></p>
<p><%= t("mailers.new_actions_notification_on_create.text_4") %></p>

2
app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
View File

@@ -36,7 +36,7 @@
<ul>
<li><%= first_proposed_action.title %></li>
<% if first_proposed_action.short_description.present? %>
<p><%= first_proposed_action.short_description.html_safe %></p>
<p><%= first_proposed_action.short_description %></p>
<% end %>
</ul>
<% end %>

6
app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
View File

@@ -10,9 +10,9 @@
title: @proposal.title) %>
</p>
<p>
<%= t("mailers.new_actions_notification_rake_created.text_1",
<%= sanitize(t("mailers.new_actions_notification_rake_created.text_1",
link_to_published: link_to(proposal_dashboard_url(@proposal),
proposal_dashboard_url(@proposal))).html_safe %>
proposal_dashboard_url(@proposal)))) %>
</p>
<p><%= t("mailers.new_actions_notification_rake_created.text_2") %></p>
<br>
@@ -35,7 +35,7 @@
<ul>
<li><%= first_proposed_action.title %></li>
<% if first_proposed_action.description.present? %>
<p><%= first_proposed_action.description.html_safe %></p>
<p><%= WYSIWYGSanitizer.new.sanitize(first_proposed_action.description) %></p>
<% end %>
</ul>
<br>

2
app/views/dashboard/mailer/new_actions_notification_rake_published.html.erb
View File

@@ -36,7 +36,7 @@
<ul>
<li><%= first_proposed_action.title %></li>
<% if first_proposed_action.description.present? %>
<p><%= first_proposed_action.description.html_safe %></p>
<p><%= WYSIWYGSanitizer.new.sanitize(first_proposed_action.description) %></p>
<% end %>
</ul>
<br>

2
app/views/dashboard/mailing/new.html.erb
View File

@@ -1,7 +1,7 @@
<% content_for :action_title, t("dashboard.mailing.new.title") %>
<div class="row expanded">
<div class="small-12 medium-9 column">
<%== Setting["proposals.email_description"] %>
<%= Setting["proposals.email_description"] %>
</div>
<%= render "mailing_options" %>

2
app/views/dashboard/polls/index.html.erb
View File

@@ -1,7 +1,7 @@
<% content_for :action_title, t("dashboard.polls.index.title") %>
<div class="row expanded">
<div class="small-12 medium-9 column">
<%== Setting["proposals.poll_description"] %>
<%= Setting["proposals.poll_description"] %>
<% if @polls.any? %>
<div class="row expanded margin-top" data-equalizer="poll-cards" data-equalize-on="medium">

2
app/views/dashboard/poster/new.html.erb
View File

@@ -1,7 +1,7 @@
<% content_for :action_title, t("dashboard.poster.new.title") %>
<div class="row expanded">
<div class="small-12 medium-9 column">
<%== Setting["proposals.poster_description"] %>
<%= Setting["proposals.poster_description"] %>
</div>
<%= render "poster_options" %>

2
app/views/debates/_form.html.erb
View File

@@ -39,7 +39,7 @@
label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
).html_safe %>
) %>
<% end %>
</div>

2
app/views/debates/_votes.html.erb
View File

@@ -52,7 +52,7 @@
<% elsif user_signed_in? && !debate.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("votes.anonymous", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("votes.anonymous", verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

4
app/views/debates/index.html.erb
View File

@@ -86,8 +86,8 @@
</p>
<p><%= t("debates.index.section_footer.description") %></p>
<p><%= t("debates.index.section_footer.help_text_1") %></p>
<p><%= t("debates.index.section_footer.help_text_2",
org: link_to(setting["org_name"], new_user_registration_path)).html_safe %></p>
<p><%= sanitize(t("debates.index.section_footer.help_text_2",
org: link_to(setting["org_name"], new_user_registration_path))) %></p>
</p>
</div>
<% end %>

6
app/views/debates/new.html.erb
View File

@@ -5,11 +5,11 @@
<h1><%= t("debates.new.start_new") %></h1>
<div data-alert class="callout primary">
<%= t("debates.new.info",
info_link: link_to(t("debates.new.info_link"), new_proposal_path)).html_safe %>
<%= sanitize(t("debates.new.info",
info_link: link_to(t("debates.new.info_link"), new_proposal_path))) %>
<% if feature?(:help_page) %>
<%= link_to help_path, title: t("shared.target_blank_html"), target: "_blank" do %>
<%= link_to help_path, title: t("shared.target_blank"), target: "_blank" do %>
<strong><%= t("debates.new.more_info") %></strong>
<% end %>
<% end %>

2
app/views/debates/show.html.erb
View File

@@ -30,7 +30,7 @@
</span>
</div>
<%= safe_html_with_links @debate.description %>
<%= auto_link_already_sanitized_html @debate.description %>
<%= render "shared/tags", taggable: @debate %>

4
app/views/devise/sessions/new.html.erb
View File

@@ -4,8 +4,8 @@
<%= render "devise/omniauth_form" %>
<p>
<%= t("devise_views.shared.links.signup",
signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path)).html_safe %>
<%= sanitize(t("devise_views.shared.links.signup",
signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path))) %>
</p>
<%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>

8
app/views/direct_messages/new.html.erb
View File

@@ -9,8 +9,8 @@
<% if not current_user %>
<div class="callout primary">
<p>
<%= t("users.login_to_continue",
signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("users.login_to_continue",
signin: link_to_signin, signup: link_to_signup)) %>
</p>
</div>
<% elsif not @receiver.email_on_direct_message? %>
@@ -33,8 +33,8 @@
<% else %>
<div class="callout warning">
<p>
<%= t("users.direct_messages.new.verified_only",
verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("users.direct_messages.new.verified_only",
verify_account: link_to_verify_account)) %>
</p>
</div>
<% end %>

2
app/views/direct_messages/show.html.erb
View File

@@ -10,6 +10,6 @@
</div>
<h1><%= @direct_message.title %></h1>
<p><%= simple_format text_with_links(@direct_message.body), {}, sanitize: false %></p>
<p><%= simple_format sanitize_and_auto_link(@direct_message.body), {}, sanitize: false %></p>
</div>
</div>

2
app/views/kaminari/_first_page.html.erb
View File

@@ -1,3 +1,3 @@
<li>
<%= link_to t("views.pagination.first").html_safe, kaminari_path(url), :remote => remote %>
<%= link_to t("views.pagination.first"), kaminari_path(url), :remote => remote %>
</li>

2
app/views/kaminari/_gap.html.erb
View File

@@ -1,3 +1,3 @@
<li class="ellipsis" aria-hidden="true">
<%= t("views.pagination.truncate").html_safe %>
<%= sanitize(t("views.pagination.truncate")) %>
</li>

2
app/views/kaminari/_last_page.html.erb
View File

@@ -1,3 +1,3 @@
<li>
<%= link_to t("views.pagination.last").html_safe, kaminari_path(url), :remote => remote %>
<%= link_to t("views.pagination.last"), kaminari_path(url), :remote => remote %>
</li>

2
app/views/kaminari/_next_page.html.erb
View File

@@ -1,3 +1,3 @@
<li class="pagination-next">
<%= link_to t("views.pagination.next").html_safe, kaminari_path(url), :rel => "next", :remote => remote %>
<%= link_to t("views.pagination.next"), kaminari_path(url), :rel => "next", :remote => remote %>
</li>

2
app/views/kaminari/_prev_page.html.erb
View File

@@ -1,3 +1,3 @@
<li class="pagination-previous">
<%= link_to t("views.pagination.previous").html_safe, kaminari_path(url), :rel => "prev", :remote => remote %>
<%= link_to t("views.pagination.previous"), kaminari_path(url), :rel => "prev", :remote => remote %>
</li>

2
app/views/layouts/_flash.html.erb
View File

@@ -5,7 +5,7 @@
<span aria-hidden="true">&times;</span>
</button>
<div class="notice-text">
<%= flash_message.try(:html_safe) %>
<%= sanitize(flash_message) %>
</div>
</div>
</div>

17
app/views/layouts/_footer.html.erb
View File

@@ -2,14 +2,13 @@
<div class="row">
<div class="small-12 large-4 column">
<h1 class="logo">
<%= link_to t("layouts.header.open_gov", open: "#{t("layouts.header.open")}").html_safe %>
<%= link_to t("layouts.header.open_gov", open: t("layouts.header.open")), root_path %>
</h1>
<p class="info">
<%= t("layouts.footer.description",
<%= sanitize(t("layouts.footer.description",
open_source: link_to(t("layouts.footer.open_source"), t("layouts.footer.open_source_url"), target: "blank", rel: "nofollow"),
consul: link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow")).html_safe
%>
consul: link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow"))) %>
<%= t("layouts.footer.contact_us") %>
</p>
</div>
@@ -38,7 +37,7 @@
<% if setting["twitter_handle"] %>
<li class="inline-block">
<%= link_to "https://twitter.com/#{setting["twitter_handle"]}", target: "_blank",
title: t("shared.go_to_page") + t("social.twitter", org: setting["org_name"]) + t("shared.target_blank_html") do %>
title: t("shared.go_to_page") + t("social.twitter", org: setting["org_name"]) + t("shared.target_blank") do %>
<span class="show-for-sr"><%= t("social.twitter", org: setting["org_name"]) %></span>
<span class="icon-twitter" aria-hidden="true"></span>
<% end %>
@@ -47,7 +46,7 @@
<% if setting["facebook_handle"] %>
<li class="inline-block">
<%= link_to "https://www.facebook.com/#{setting["facebook_handle"]}/", target: "_blank",
title: t("shared.go_to_page") + t("social.facebook", org: setting["org_name"]) + t("shared.target_blank_html") do %>
title: t("shared.go_to_page") + t("social.facebook", org: setting["org_name"]) + t("shared.target_blank") do %>
<span class="show-for-sr"><%= t("social.facebook", org: setting["org_name"]) %></span>
<span class="icon-facebook" aria-hidden="true"></span>
<% end %>
@@ -56,7 +55,7 @@
<% if setting["youtube_handle"] %>
<li class="inline-block">
<%= link_to "https://www.youtube.com/#{setting["youtube_handle"]}", target: "_blank",
title: t("shared.go_to_page") + t("social.youtube", org: setting["org_name"]) + t("shared.target_blank_html") do %>
title: t("shared.go_to_page") + t("social.youtube", org: setting["org_name"]) + t("shared.target_blank") do %>
<span class="show-for-sr"><%= t("social.youtube", org: setting["org_name"]) %></span>
<span class="icon-youtube" aria-hidden="true"></span>
<% end %>
@@ -65,7 +64,7 @@
<% if setting["telegram_handle"] %>
<li class="inline-block">
<%= link_to "https://www.telegram.me/#{setting["telegram_handle"]}", target: "_blank",
title: t("shared.go_to_page") + t("social.telegram", org: setting["org_name"]) + t("shared.target_blank_html") do %>
title: t("shared.go_to_page") + t("social.telegram", org: setting["org_name"]) + t("shared.target_blank") do %>
<span class="show-for-sr"><%= t("social.telegram", org: setting["org_name"]) %></span>
<span class="icon-telegram" aria-hidden="true"></span>
<% end %>
@@ -74,7 +73,7 @@
<% if setting["instagram_handle"] %>
<li class="inline-block">
<%= link_to "https://www.instagram.com/#{setting["instagram_handle"]}", target: "_blank",
title: t("shared.go_to_page") + t("social.instagram", org: setting["org_name"]) + t("shared.target_blank_html") do %>
title: t("shared.go_to_page") + t("social.instagram", org: setting["org_name"]) + t("shared.target_blank") do %>
<span class="show-for-sr"><%= t("social.instagram", org: setting["org_name"]) %></span>
<span class="icon-instagram" aria-hidden="true"></span>
<% end %>

4
app/views/layouts/_notification_item.html.erb
View File

@@ -10,11 +10,11 @@
<span class="icon-circle" aria-hidden="true"></span>
<span class="icon-notification" aria-hidden="true"
title="<%= t("layouts.header.notification_item.new_notifications",
count: current_user.notifications_count).html_safe %>">
count: current_user.notifications_count) %>">
</span>
<span class="show-for-small-only">
<%= t("layouts.header.notification_item.new_notifications",
count: current_user.notifications_count).html_safe %>
count: current_user.notifications_count) %>
</span>
<% else %>
<span class="icon-no-notification" aria-hidden="true"

16
app/views/layouts/application.html.erb
View File

@@ -11,18 +11,18 @@
type: "image/png" %>
<%= content_for :social_media_meta_tags %>
<%= setting["html.per_page_code_head"].try(:html_safe) %>
<%= raw setting["html.per_page_code_head"] %>
</head>
<body class="<%= yield (:body_class) %>">
<%= setting["html.per_page_code_body"].try(:html_safe) %>
<%= raw setting["html.per_page_code_body"] %>
<h1 class="show-for-sr"><%= setting["org_name"] %></h1>
<div class="wrapper <%= yield (:wrapper_class) %>">
<%= render "layouts/header", with_subnavigation: true %>
<!--[if lt IE 9]>
<% if browser.ie? && cookies["ie_alert_closed"] != "true" %>
<!--[if lt IE 9]>
<div data-alert class="callout primary ie-callout" data-closable>
<button class="close-button ie-callout-close-js"
aria-label="<%= t("application.close") %>" type="button" data-close>
@@ -30,16 +30,16 @@
</button>
<h2><%= t("layouts.application.ie_title") %></h2>
<p>
<%= t("layouts.application.ie",
<%= sanitize(t("layouts.application.ie",
chrome: link_to(
t("layouts.application.chrome"), "https://www.google.com/chrome/browser/desktop/", title: t("shared.target_blank_html"), target: "_blank"),
t("layouts.application.chrome"), "https://www.google.com/chrome/browser/desktop/", title: t("shared.target_blank"), target: "_blank"),
firefox: link_to(
t("layouts.application.firefox"), "https://www.mozilla.org/firefox", title: t("shared.target_blank_html"), target: "_blank")
).html_safe %>
t("layouts.application.firefox"), "https://www.mozilla.org/firefox", title: t("shared.target_blank"), target: "_blank")
)) %>
</p>
</div>
<% end %>
<![endif]-->
<% end %>
<%= render "layouts/flash" %>

4
app/views/layouts/dashboard.html.erb
View File

@@ -18,10 +18,10 @@
type: "image/png" %>
<%= content_for :social_media_meta_tags %>
<%= setting["per_page_code_head"].try(:html_safe) %>
<%= raw setting["per_page_code_head"] %>
</head>
<body class="proposal-dashboard">
<%= setting["per_page_code_body"].try(:html_safe) %>
<%= raw setting["per_page_code_body"] %>
<h1 class="show-for-sr"><%= setting["org_name"] %></h1>

4
app/views/layouts/devise.html.erb
View File

@@ -3,11 +3,11 @@
<head>
<%= render "layouts/common_head", default_title: "Gobierno abierto" %>
<%= render "layouts/meta_tags" %>
<%= setting["html.per_page_code_head"].try(:html_safe) %>
<%= raw setting["html.per_page_code_head"] %>
</head>
<body class="auth-page">
<%= setting["html.per_page_code_body"].try(:html_safe) %>
<%= raw setting["html.per_page_code_body"] %>
<div class="wrapper">
<div class="auth-image small-12 medium-3 column">
<h1 class="logo margin">

4
app/views/layouts/proposals_dashboard.html.erb
View File

@@ -18,10 +18,10 @@
type: "image/png" %>
<%= content_for :social_media_meta_tags %>
<%= setting["per_page_code_head"].try(:html_safe) %>
<%= raw setting["per_page_code_head"] %>
</head>
<body class="proposal-dashboard">
<%= setting["per_page_code_body"].try(:html_safe) %>
<%= raw setting["per_page_code_body"] %>
<h1 class="show-for-sr"><%= setting["org_name"] %></h1>

4
app/views/legislation/annotations/_comments_box.html.erb
View File

@@ -37,8 +37,8 @@
<div>
<div class="participation-not-allowed" style="display: none;" aria-hidden="false">
<%= t("users.login_to_comment",
signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("users.login_to_comment",
signin: link_to_signin, signup: link_to_signup)) %>
</div>
</div>

2
app/views/legislation/annotations/index.html.erb
View File

@@ -22,7 +22,7 @@
<% end %>
</span>
<div class="comment-section">
<%= annotation.context.try(:html_safe).presence || annotation.quote %>
<%= sanitize(annotation.context).presence || annotation.quote %>
</div>
<%= link_to legislation_process_draft_version_annotation_path(@process, @draft_version, annotation) do %>
<span class="icon-comments" aria-hidden="true"></span> <span><%= t(".comments_count", count: annotation.comments_count) %></span></a>

2
app/views/legislation/annotations/show.html.erb
View File

@@ -19,7 +19,7 @@
<div class="comment-section">
<div class="row">
<div class="small-12 medium-9 column legislation-comment">
<%= @annotation.context.try(:html_safe).presence || @annotation.quote %>
<%= sanitize(@annotation.context).presence || @annotation.quote %>
</div>
<div class="small-12 medium-3 column legislation-comment">
<span class="float-right">

4
app/views/legislation/draft_versions/show.html.erb
View File

@@ -49,7 +49,7 @@
<div data-sticky-container>
<div data-sticky data-anchor="sticky-panel" class="draft-index sticky" data-tree-navigator>
<%= @draft_version.toc_html.html_safe %>
<%= sanitize(@draft_version.toc_html) %>
</div>
</div>
</div>
@@ -66,7 +66,7 @@
data-legislation-annotatable-base-url="<%= legislation_process_draft_version_path(@process, @draft_version) %>"
data-legislation-open-phase="<%= @process.allegations_phase.open? %>">
<% end %>
<%= @draft_version.body_html.html_safe %>
<%= sanitize(@draft_version.body_html) %>
</section>
</div>
</div>

4
app/views/legislation/processes/_help_gif.html.erb
View File

@@ -11,8 +11,8 @@
<%= t("annotator.help.alt") %>
<% else %>
<p>
<%= t("annotator.help.text",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("annotator.help.text",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</p>
<% end %>

2
app/views/legislation/proposals/_featured_votes.html.erb
View File

@@ -22,7 +22,7 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

2
app/views/legislation/proposals/_form.html.erb
View File

@@ -65,7 +65,7 @@
label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
).html_safe %>
) %>
<% end %>
</div>

4
app/views/legislation/proposals/_votes.html.erb
View File

@@ -54,8 +54,8 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("legislation.proposals.not_verified",
verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("legislation.proposals.not_verified",
verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

4
app/views/legislation/proposals/show.html.erb
View File

@@ -68,7 +68,7 @@
</div>
<% end %>
<%= safe_html_with_links @proposal.description %>
<%= auto_link_already_sanitized_html @proposal.description %>
<% if @proposal.video_url.present? %>
<div class="video-link">
@@ -76,7 +76,7 @@
<span class="icon-video"></span>&nbsp;
<strong><%= t("proposals.show.title_video_url") %></strong>
</p>
<%= text_with_links @proposal.video_url %>
<%= sanitize_and_auto_link @proposal.video_url %>
</div>
<% end %>

8
app/views/legislation/questions/_participation_not_allowed.html.erb
View File

@@ -7,14 +7,14 @@
<% elsif user_signed_in? && current_user.unverified? %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("legislation.questions.participation.verified_only",
verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("legislation.questions.participation.verified_only",
verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<%= t("legislation.questions.participation.unauthenticated",
signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("legislation.questions.participation.unauthenticated",
signin: link_to_signin, signup: link_to_signup)) %>
</div>
<% elsif !@process.debate_phase.open? %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">

12
app/views/mailer/budget_investment_created.html.erb
View File

@@ -5,19 +5,19 @@
</h1>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= t("mailers.budget_investment_created.intro_html",
author: @investment.author.name).html_safe %>
<%= sanitize(t("mailers.budget_investment_created.intro",
author: @investment.author.name)) %>
</p>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= t("mailers.budget_investment_created.text_html",
<%= sanitize(t("mailers.budget_investment_created.text",
investment: @investment.title,
budget: @investment.budget.name).html_safe %>
budget: @investment.budget.name)) %>
</p>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= t("mailers.budget_investment_created.follow_html",
link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url)).html_safe %>
<%= sanitize(t("mailers.budget_investment_created.follow_html",
link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url))) %>
</p>
<table style="width: 100%;">

2
app/views/mailer/comment.html.erb
View File

@@ -13,7 +13,7 @@
</p>
<p style="border-left: 2px solid #DEE0E3;font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-style: italic;font-weight: normal;line-height: 24px;margin-left: 20px;padding: 10px;">
<%= text_with_links @comment.body %>
<%= sanitize_and_auto_link @comment.body %>
</p>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 12px;font-weight: normal;line-height: 20px;">

6
app/views/mailer/direct_message_for_receiver.html.erb
View File

@@ -4,7 +4,7 @@
</h1>
<div style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= simple_format text_with_links(@direct_message.body), {}, sanitize: false %>
<%= simple_format sanitize_and_auto_link(@direct_message.body), {}, sanitize: false %>
</div>
<table style="width: 100%; border-top: 1px solid #DEE0E3; margin-top: 60px;">
@@ -26,9 +26,9 @@
<tr>
<td style="padding-left: 10px;">
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px; margin: 0; font-style: italic; padding-bottom: 20px;">
<%= t("mailers.direct_message_for_receiver.unsubscribe",
<%= sanitize(t("mailers.direct_message_for_receiver.unsubscribe",
account: link_to(t("mailers.direct_message_for_receiver.unsubscribe_account"),
account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
account_url, style: "color: #2895F1; text-decoration: none;"))) %>
</p>
</td>
</tr>

2
app/views/mailer/direct_message_for_sender.html.erb
View File

@@ -10,6 +10,6 @@
</h2>
<div style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= simple_format text_with_links(@direct_message.body), {}, sanitize: false %>
<%= simple_format sanitize_and_auto_link(@direct_message.body), {}, sanitize: false %>
</div>
</td>

2
app/views/mailer/evaluation_comment.html.erb
View File

@@ -14,6 +14,6 @@
<%= t("mailers.evaluation_comment.commenter_info", commenter: @email.comment.author.name, time: l(@email.comment.created_at)) %>
<div style="border-left: 2px solid #DEE0E3;font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-style: italic;font-weight: normal;line-height: 24px;margin-left: 20px;padding: 10px;">
<%= simple_format text_with_links(@email.comment.body), {}, sanitize: false %>
<%= simple_format sanitize_and_auto_link(@email.comment.body), {}, sanitize: false %>
</div>
</td>

2
app/views/mailer/newsletter.html.erb
View File

@@ -1,5 +1,5 @@
<td style="padding-bottom: 20px; padding-left: 10px;">
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;line-height: 24px;">
<%= safe_html_with_links @newsletter.body.html_safe %>
<%= auto_link_already_sanitized_html WYSIWYGSanitizer.new.sanitize(@newsletter.body) %>
</p>
</td>

4
app/views/mailer/proposal_notification_digest.html.erb
View File

@@ -61,9 +61,9 @@
<tr>
<td style="padding-left: 10px;">
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px; margin: 0; font-style: italic; padding-bottom: 20px;">
<%= t("mailers.proposal_notification_digest.unsubscribe",
<%= sanitize(t("mailers.proposal_notification_digest.unsubscribe",
account: link_to(t("mailers.proposal_notification_digest.unsubscribe_account"),
account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
account_url, style: "color: #2895F1; text-decoration: none;"))) %>
</p>
</td>
</tr>

2
app/views/mailer/reply.html.erb
View File

@@ -13,7 +13,7 @@
</p>
<div style="border-left: 2px solid #DEE0E3;font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-style: italic;font-weight: normal;line-height: 24px;margin-left: 20px;padding: 10px;">
<%= simple_format text_with_links(@email.reply.body), {}, sanitize: false %>
<%= simple_format sanitize_and_auto_link(@email.reply.body), {}, sanitize: false %>
</div>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 12px;font-weight: normal;line-height: 20px;">

4
app/views/management/document_verifications/invalid_document.html.erb
View File

@@ -11,6 +11,6 @@
permissions: [:debates, :create_proposals] %>
<p>
<%= t("management.document_verifications.has_no_account_html",
link: link_to(t("management.document_verifications.link"), root_path, target: "_blank")).html_safe %>
<%= sanitize(t("management.document_verifications.has_no_account_html",
link: link_to(t("management.document_verifications.link"), root_path, target: "_blank"))) %>
</p>

2
app/views/milestones/_milestone.html.erb
View File

@@ -25,7 +25,7 @@
<%= image_tag(milestone.image_url(:large), { id: "image_#{milestone.id}", alt: milestone.image.title, class: "margin" }) if milestone.image.present? %>
<p>
<%= text_with_links milestone.description %>
<%= sanitize_and_auto_link milestone.description %>
</p>
<% if milestone.documents.present? %>

4
app/views/organizations/registrations/new.html.erb
View File

@@ -32,9 +32,9 @@
label: t("devise_views.users.registrations.new.terms",
terms: link_to(t("devise_views.users.registrations.new.terms_link"),
"/conditions",
title: t("shared.target_blank_html"),
title: t("shared.target_blank"),
target: "_blank")
).html_safe %>
) %>
<div class="small-12 medium-6 small-centered">
<%= f.submit t("devise_views.organizations.registrations.new.submit"), class: "button expanded" %>

2
app/views/organizations/registrations/success.html.erb
View File

@@ -2,7 +2,7 @@
<p><%= t("devise_views.organizations.registrations.success.thank_you_html") %></p>
<p><%= t("devise_views.organizations.registrations.success.instructions_1_html") %></p>
<p><%= t("devise_views.organizations.registrations.success.instructions_2_html") %></p>
<p><%= t("devise_views.organizations.registrations.success.instructions_3_html") %></p>
<p><%= t("devise_views.organizations.registrations.success.instructions_3") %></p>
<p>
<%= link_to t("devise_views.organizations.registrations.success.back_to_index"),
root_path, class: "button margin-top expanded" %>

2
app/views/pages/custom_page.html.erb
View File

@@ -9,7 +9,7 @@
<h2><%= @custom_page.subtitle %></h2>
<% end %>
<%= safe_html_with_links AdminWYSIWYGSanitizer.new.sanitize(@custom_page.content) %>
<%= auto_link_already_sanitized_html AdminWYSIWYGSanitizer.new.sanitize(@custom_page.content) %>
</div>
<% if @custom_page.print_content_flag %>

6
app/views/pages/help/_budgets.html.erb
View File

@@ -4,13 +4,13 @@
<%= t("pages.help.budgets.title") %>
</h3>
<p>
<%= t("pages.help.budgets.description",
link: link_to(t("pages.help.budgets.link"), budgets_path)).html_safe %>
<%= sanitize(t("pages.help.budgets.description",
link: link_to(t("pages.help.budgets.link"), budgets_path))) %>
</p>
<figure>
<%= image_tag "help/budgets_#{I18n.locale}.png", alt: t("pages.help.budgets.image_alt") %>
<figcaption><%= t("pages.help.budgets.figcaption_html") %></figcaption>
<figcaption><%= t("pages.help.budgets.figcaption") %></figcaption>
</figure>
</div>
</div>

8
app/views/pages/help/_debates.html.erb
View File

@@ -4,16 +4,16 @@
<%= t("pages.help.debates.title") %>
</h3>
<p>
<%= t("pages.help.debates.description",
<%= sanitize(t("pages.help.debates.description",
org: setting["org_name"],
link: link_to(t("pages.help.debates.link"),
debates_path)).html_safe %>
debates_path))) %>
</p>
<ul class="features">
<li>
<%= t("pages.help.debates.feature_html",
<%= sanitize(t("pages.help.debates.feature_html",
link: link_to(t("pages.help.debates.feature_link", org: setting["org_name"]),
new_user_registration_path)).html_safe %>
new_user_registration_path))) %>
</li>
</ul>

8
app/views/pages/help/_polls.html.erb
View File

@@ -2,14 +2,14 @@
<div class="small-12 column">
<h3 id="polls" data-magellan-target="polls"><%= t("pages.help.polls.title") %></h3>
<p>
<%= t("pages.help.polls.description",
link: link_to(t("pages.help.polls.link"), polls_path)).html_safe %>
<%= sanitize(t("pages.help.polls.description",
link: link_to(t("pages.help.polls.link"), polls_path))) %>
</p>
<ul class="features">
<li>
<%= t("pages.help.polls.feature_1",
<%= sanitize(t("pages.help.polls.feature_1",
link: link_to(t("pages.help.polls.feature_1_link", org_name: setting["org_name"]),
new_user_registration_path)).html_safe %>
new_user_registration_path))) %>
</li>
</ul>
</div>

2
app/views/pages/help/_processes.html.erb
View File

@@ -6,7 +6,7 @@
<p>
<% link = link_to(t("pages.help.processes.link"), legislation_processes_path) %>
<%= t("pages.help.processes.description", link: link).html_safe %>
<%= sanitize(t("pages.help.processes.description", link: link)) %>
</p>
<ul class="features">
<li>

6
app/views/pages/help/_proposals.html.erb
View File

@@ -4,13 +4,13 @@
<%= t("pages.help.proposals.title") %>
</h3>
<p>
<%= t("pages.help.proposals.description",
link: link_to(t("pages.help.proposals.link"), proposals_path)).html_safe %>
<%= sanitize(t("pages.help.proposals.description",
link: link_to(t("pages.help.proposals.link"), proposals_path))) %>
</p>
<figure>
<%= image_tag "help/proposals_#{I18n.locale}.png", alt: t("pages.help.proposals.image_alt") %>
<figcaption><%= t("pages.help.proposals.figcaption_html") %></figcaption>
<figcaption><%= t("pages.help.proposals.figcaption") %></figcaption>
</figure>
</div>
</div>

4
app/views/polls/_callout.html.erb
View File

@@ -1,9 +1,9 @@
<% unless can?(:answer, @poll) %>
<% if current_user.nil? %>
<div class="callout primary">
<%= t("polls.show.cant_answer_not_logged_in",
<%= sanitize(t("polls.show.cant_answer_not_logged_in",
signin: link_to_signin(class: "probe-message"),
signup: link_to_signup(class: "probe-message")).html_safe %>
signup: link_to_signup(class: "probe-message"))) %>
</div>
<% elsif current_user.unverified? %>
<div class="callout warning">

2
app/views/polls/_poll_header.html.erb
View File

@@ -9,7 +9,7 @@
<h1><%= @poll.name %></h1>
<%= safe_html_with_links simple_format(@poll.summary) %>
<%= auto_link_already_sanitized_html simple_format(@poll.summary) %>
<% if @poll.geozones.any? %>
<ul class="no-bullet margin-top tags">

2
app/views/polls/index.html.erb
View File

@@ -14,7 +14,7 @@
<div class="small-12 column">
<% if show_polls_description? %>
<div class="polls-description">
<%= safe_html_with_links WYSIWYGSanitizer.new.sanitize(@active_poll.description) %>
<%= auto_link_already_sanitized_html WYSIWYGSanitizer.new.sanitize(@active_poll.description) %>
</div>
<% end %>

2
app/views/polls/show.html.erb
View File

@@ -41,7 +41,7 @@
<div class="row margin">
<div class="small-12 medium-9 column">
<h3><%= t("polls.show.more_info_title") %></h3>
<%= safe_html_with_links simple_format(@poll.description) %>
<%= auto_link_already_sanitized_html simple_format(@poll.description) %>
</div>
<% if false %>

4
app/views/proposal_notifications/new.html.erb
View File

@@ -6,10 +6,10 @@
<div class="callout primary">
<p>
<%= t("proposal_notifications.new.info_about_receivers_html",
<%= sanitize(t("proposal_notifications.new.info_about_receivers_html",
count: @proposal.users_to_notify.count,
proposal_page: link_to(t("proposal_notifications.new.proposal_page"),
proposal_path(@proposal, anchor: "comments"))).html_safe %>
proposal_path(@proposal, anchor: "comments")))) %>
</p>
</div>
</div>

Some files were not shown because too many files have changed in this diff Show More