<%= link_to "#{content_block.heading.name} (#{content_block.locale})", admin_site_customization_edit_heading_content_block_path(content_block) %>
- <%= content_block.body.html_safe %>
+ <%= raw content_block.body %>
<%= link_to t("admin.site_customization.content_blocks.index.delete"),
admin_site_customization_delete_heading_content_block_path(content_block.id),
diff --git a/app/views/budgets/_phases.html.erb b/app/views/budgets/_phases.html.erb
index 61dd1904c..f9791a43e 100644
--- a/app/views/budgets/_phases.html.erb
+++ b/app/views/budgets/_phases.html.erb
@@ -7,7 +7,7 @@
-
<%= l(phase.ends_at.to_date - 1.day, format: :long) if phase.ends_at.present? %>
- <%= safe_html_with_links(phase.summary) %>
+ <%= auto_link_already_sanitized_html(WYSIWYGSanitizer.new.sanitize(phase.summary)) %>
<% end %>
diff --git a/app/views/budgets/ballot/_ballot.html.erb b/app/views/budgets/ballot/_ballot.html.erb
index e99de7510..c29a2b4f0 100644
--- a/app/views/budgets/ballot/_ballot.html.erb
+++ b/app/views/budgets/ballot/_ballot.html.erb
@@ -10,7 +10,7 @@
count: @ballot.investments.count) %>
- <%= t("budgets.ballots.show.voted_info_html") %>
+ <%= t("budgets.ballots.show.voted_info") %>
<%= t("budgets.ballots.show.voted_info_2") %>
@@ -26,8 +26,8 @@
<%= group.name %> - <%= @ballot.heading_for_group(group).name %>
- <%= link_to t("budgets.ballots.show.remaining",
- amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group))).html_safe,
+ <%= link_to sanitize(t("budgets.ballots.show.remaining",
+ amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group)))),
budget_group_path(@budget, group) %>
<% if @ballot.has_lines_in_group?(group) %>
diff --git a/app/views/budgets/index.html.erb b/app/views/budgets/index.html.erb
index e194af049..3ad23eec3 100644
--- a/app/views/budgets/index.html.erb
+++ b/app/views/budgets/index.html.erb
@@ -15,7 +15,7 @@
<%= current_budget.name %>
- <%= safe_html_with_links(current_budget.description) %>
+ <%= auto_link_already_sanitized_html(current_budget.description) %>
<%= link_to t("budgets.index.section_header.help"), "#section_help" %>
@@ -37,14 +37,14 @@
class: "button margin-top expanded" %>
<% else %>
- <%= t("budgets.investments.index.sidebar.verified_only",
- verify: link_to_verify_account).html_safe %>
+ <%= sanitize(t("budgets.investments.index.sidebar.verified_only",
+ verify: link_to_verify_account)) %>
<% end %>
<% else %>
- <%= t("budgets.investments.index.sidebar.not_logged_in",
- sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+ <%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
+ sign_in: link_to_signin, sign_up: link_to_signup)) %>
<% end %>
<% end %>
diff --git a/app/views/budgets/investments/_ballot.html.erb b/app/views/budgets/investments/_ballot.html.erb
index ae027b2fc..73fe2fe8b 100644
--- a/app/views/budgets/investments/_ballot.html.erb
+++ b/app/views/budgets/investments/_ballot.html.erb
@@ -51,11 +51,11 @@
- <%= t("budgets.ballots.reasons_for_not_balloting.#{reason}",
+ <%= sanitize(t("budgets.ballots.reasons_for_not_balloting.#{reason}",
verify_account: link_to_verify_account, signin: link_to_signin,
signup: link_to_signup, my_heading: my_heading,
change_ballot: change_ballot,
- heading_link: heading_link(@assigned_heading, @budget)).html_safe %>
+ heading_link: heading_link(@assigned_heading, @budget))) %>
diff --git a/app/views/budgets/investments/_form.html.erb b/app/views/budgets/investments/_form.html.erb
index e080f2ede..138743669 100644
--- a/app/views/budgets/investments/_form.html.erb
+++ b/app/views/budgets/investments/_form.html.erb
@@ -93,7 +93,8 @@
title: t("form.accept_terms_title"),
label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"),
- conditions: link_to(t("form.conditions"), "/conditions", target: "blank")).html_safe %>
+ conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
+ ) %>
<% end %>
diff --git a/app/views/budgets/investments/_header.html.erb b/app/views/budgets/investments/_header.html.erb
index 48f78411b..e46e2d287 100644
--- a/app/views/budgets/investments/_header.html.erb
+++ b/app/views/budgets/investments/_header.html.erb
@@ -40,9 +40,9 @@
heading_link: heading_link(@assigned_heading, @budget)) %>
- <%= t("budgets.investments.header.change_ballot",
+ <%= sanitize(t("budgets.investments.header.change_ballot",
check_ballot: link_to(t("budgets.investments.header.check_ballot_link"),
- budget_ballot_path(@budget))).html_safe %>
+ budget_ballot_path(@budget)))) %>
diff --git a/app/views/budgets/investments/_investment_detail.erb b/app/views/budgets/investments/_investment_detail.erb
index 6c49abe38..3e9098d8f 100644
--- a/app/views/budgets/investments/_investment_detail.erb
+++ b/app/views/budgets/investments/_investment_detail.erb
@@ -22,7 +22,7 @@
<%= t("budgets.investments.show.code_html", code: investment.id) %>
-<%= safe_html_with_links investment.description.html_safe %>
+<%= auto_link_already_sanitized_html investment.description %>
<% if feature?(:map) && map_location_available?(@investment.map_location) %>
@@ -52,7 +52,7 @@
<% if investment.external_url.present? %>
- <%= text_with_links investment.external_url %>
+ <%= sanitize_and_auto_link investment.external_url %>
<% end %>
diff --git a/app/views/budgets/investments/_sidebar.html.erb b/app/views/budgets/investments/_sidebar.html.erb
index 63d577241..b962db9e4 100644
--- a/app/views/budgets/investments/_sidebar.html.erb
+++ b/app/views/budgets/investments/_sidebar.html.erb
@@ -6,17 +6,17 @@
new_budget_investment_path(budget_id: @budget.id), class: "button budget expanded" %>
<% else %>
- <%= t("budgets.investments.index.sidebar.verified_only",
- verify: link_to_verify_account).html_safe %>
+ <%= sanitize(t("budgets.investments.index.sidebar.verified_only",
+ verify: link_to_verify_account)) %>
<% end %>
<% end %>
<% if @heading && can?(:show, @ballot) %>
- <%= t("budgets.investments.index.sidebar.voted_info",
+ <%= sanitize(t("budgets.investments.index.sidebar.voted_info",
link: link_to(t("budgets.investments.index.sidebar.voted_info_link"),
- budget_ballot_path(@budget))).html_safe %>
+ budget_ballot_path(@budget)))) %>
<% end %>
@@ -52,9 +52,9 @@
) %>
- <%= t("budgets.investments.index.sidebar.change_ballot",
+ <%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
check_ballot: link_to(t("budgets.investments.index.sidebar.check_ballot_link"),
- budget_ballot_path(@budget))).html_safe %>
+ budget_ballot_path(@budget)))) %>
<% else %>
diff --git a/app/views/budgets/investments/_votes.html.erb b/app/views/budgets/investments/_votes.html.erb
index 9fca61f6e..b4733a29b 100644
--- a/app/views/budgets/investments/_votes.html.erb
+++ b/app/views/budgets/investments/_votes.html.erb
@@ -31,13 +31,13 @@
- <%= t("votes.budget_investments.#{reason}",
+ <%= sanitize(t("votes.budget_investments.#{reason}",
count: investment.group.max_votable_headings,
verify_account: link_to_verify_account,
signin: link_to_signin,
signup: link_to_signup,
supported_headings: (current_user && current_user.headings_voted_within_group(investment.group).map(&:name).sort.to_sentence)
- ).html_safe %>
+ )) %>
diff --git a/app/views/budgets/show.html.erb b/app/views/budgets/show.html.erb
index 0d1bf5779..826752248 100644
--- a/app/views/budgets/show.html.erb
+++ b/app/views/budgets/show.html.erb
@@ -9,7 +9,7 @@
<%= @budget.name %>
- <%= safe_html_with_links(@budget.description) %>
+ <%= auto_link_already_sanitized_html(@budget.description) %>
@@ -23,14 +23,14 @@
<%= link_to t("budgets.investments.index.sidebar.create"), new_budget_investment_path(@budget), class: "button margin-top expanded" %>
<% else %>
- <%= t("budgets.investments.index.sidebar.verified_only",
- verify: link_to_verify_account).html_safe %>
+ <%= sanitize(t("budgets.investments.index.sidebar.verified_only",
+ verify: link_to_verify_account)) %>
<% end %>
<% else %>
- <%= t("budgets.investments.index.sidebar.not_logged_in",
- sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+ <%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
+ sign_in: link_to_signin, sign_up: link_to_signup)) %>
<% end %>
<% end %>
diff --git a/app/views/comments/_comment.html.erb b/app/views/comments/_comment.html.erb
index 6104d955f..56667f26d 100644
--- a/app/views/comments/_comment.html.erb
+++ b/app/views/comments/_comment.html.erb
@@ -80,7 +80,7 @@
diff --git a/app/views/dashboard/actions/new_request.html.erb b/app/views/dashboard/actions/new_request.html.erb
index 1b6fd3710..ba6486ce5 100644
--- a/app/views/dashboard/actions/new_request.html.erb
+++ b/app/views/dashboard/actions/new_request.html.erb
@@ -2,7 +2,7 @@
- <%== dashboard_action.description %>
+ <%= WYSIWYGSanitizer.new.sanitize(dashboard_action.description) %>
<%= render "dashboard/form" %>
diff --git a/app/views/dashboard/mailer/new_actions_notification_on_create.html.erb b/app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
index b26d8f7f9..0f1df7ddd 100644
--- a/app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
@@ -6,7 +6,7 @@
<%= t("mailers.new_actions_notification_on_create.text_1") %>
<%= t("mailers.new_actions_notification_on_create.text_3") %>
<%= t("mailers.new_actions_notification_on_create.text_4") %>
diff --git a/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb b/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
index bae02cd64..e566ebd03 100644
--- a/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
@@ -36,7 +36,7 @@
<%= first_proposed_action.title %>
<% if first_proposed_action.short_description.present? %>
- <%= first_proposed_action.short_description.html_safe %>
+ <%= first_proposed_action.short_description %>
<% end %>
<% end %>
diff --git a/app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb b/app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
index ff6f3d817..7f4d74cb1 100644
--- a/app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
@@ -10,9 +10,9 @@
title: @proposal.title) %>
- <%= t("mailers.new_actions_notification_rake_created.text_1",
+ <%= sanitize(t("mailers.new_actions_notification_rake_created.text_1",
link_to_published: link_to(proposal_dashboard_url(@proposal),
- proposal_dashboard_url(@proposal))).html_safe %>
+ proposal_dashboard_url(@proposal)))) %>
<%= t("mailers.new_actions_notification_rake_created.text_2") %>
@@ -35,7 +35,7 @@
<%= first_proposed_action.title %>
<% if first_proposed_action.description.present? %>
- <%= first_proposed_action.description.html_safe %>
+ <%= WYSIWYGSanitizer.new.sanitize(first_proposed_action.description) %>
<% end %>
diff --git a/app/views/dashboard/mailer/new_actions_notification_rake_published.html.erb b/app/views/dashboard/mailer/new_actions_notification_rake_published.html.erb
index f8d7b0d7d..f4b00ba40 100644
--- a/app/views/dashboard/mailer/new_actions_notification_rake_published.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_rake_published.html.erb
@@ -36,7 +36,7 @@
<%= first_proposed_action.title %>
<% if first_proposed_action.description.present? %>
- <%= first_proposed_action.description.html_safe %>
+ <%= WYSIWYGSanitizer.new.sanitize(first_proposed_action.description) %>
<% end %>
diff --git a/app/views/dashboard/mailing/new.html.erb b/app/views/dashboard/mailing/new.html.erb
index 9cd2a34b5..1c24c2d91 100644
--- a/app/views/dashboard/mailing/new.html.erb
+++ b/app/views/dashboard/mailing/new.html.erb
@@ -1,7 +1,7 @@
<% content_for :action_title, t("dashboard.mailing.new.title") %>
- <%== Setting["proposals.email_description"] %>
+ <%= Setting["proposals.email_description"] %>
<%= render "mailing_options" %>
diff --git a/app/views/dashboard/polls/index.html.erb b/app/views/dashboard/polls/index.html.erb
index 031c0da4f..24c9fd82d 100644
--- a/app/views/dashboard/polls/index.html.erb
+++ b/app/views/dashboard/polls/index.html.erb
@@ -1,7 +1,7 @@
<% content_for :action_title, t("dashboard.polls.index.title") %>
- <%== Setting["proposals.poll_description"] %>
+ <%= Setting["proposals.poll_description"] %>
<% if @polls.any? %>
diff --git a/app/views/dashboard/poster/new.html.erb b/app/views/dashboard/poster/new.html.erb
index 893f05ff9..172b34f92 100644
--- a/app/views/dashboard/poster/new.html.erb
+++ b/app/views/dashboard/poster/new.html.erb
@@ -1,7 +1,7 @@
<% content_for :action_title, t("dashboard.poster.new.title") %>
- <%== Setting["proposals.poster_description"] %>
+ <%= Setting["proposals.poster_description"] %>
<%= render "poster_options" %>
diff --git a/app/views/debates/_form.html.erb b/app/views/debates/_form.html.erb
index d74e08272..38b4e2bcc 100644
--- a/app/views/debates/_form.html.erb
+++ b/app/views/debates/_form.html.erb
@@ -39,7 +39,7 @@
label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
- ).html_safe %>
+ ) %>
<% end %>
diff --git a/app/views/debates/_votes.html.erb b/app/views/debates/_votes.html.erb
index cb7cdf9f5..9cd3437a4 100644
--- a/app/views/debates/_votes.html.erb
+++ b/app/views/debates/_votes.html.erb
@@ -52,7 +52,7 @@
<% elsif user_signed_in? && !debate.votable_by?(current_user) %>
- <%= t("votes.anonymous", verify_account: link_to_verify_account).html_safe %>
+ <%= sanitize(t("votes.anonymous", verify_account: link_to_verify_account)) %>
<% elsif !user_signed_in? %>
diff --git a/app/views/debates/index.html.erb b/app/views/debates/index.html.erb
index 53788434d..d4920644b 100644
--- a/app/views/debates/index.html.erb
+++ b/app/views/debates/index.html.erb
@@ -86,8 +86,8 @@
<%= t("debates.index.section_footer.description") %>
<%= t("debates.index.section_footer.help_text_1") %>
-
<%= t("debates.index.section_footer.help_text_2",
- org: link_to(setting["org_name"], new_user_registration_path)).html_safe %>
+
<%= sanitize(t("debates.index.section_footer.help_text_2",
+ org: link_to(setting["org_name"], new_user_registration_path))) %>
<% end %>
diff --git a/app/views/debates/new.html.erb b/app/views/debates/new.html.erb
index cf3cbc7b9..4e75679de 100644
--- a/app/views/debates/new.html.erb
+++ b/app/views/debates/new.html.erb
@@ -5,11 +5,11 @@
<%= t("debates.new.start_new") %>
- <%= t("debates.new.info",
- info_link: link_to(t("debates.new.info_link"), new_proposal_path)).html_safe %>
+ <%= sanitize(t("debates.new.info",
+ info_link: link_to(t("debates.new.info_link"), new_proposal_path))) %>
<% if feature?(:help_page) %>
- <%= link_to help_path, title: t("shared.target_blank_html"), target: "_blank" do %>
+ <%= link_to help_path, title: t("shared.target_blank"), target: "_blank" do %>
<%= t("debates.new.more_info") %>
<% end %>
<% end %>
diff --git a/app/views/debates/show.html.erb b/app/views/debates/show.html.erb
index b8814d75b..113041e63 100644
--- a/app/views/debates/show.html.erb
+++ b/app/views/debates/show.html.erb
@@ -30,7 +30,7 @@
- <%= safe_html_with_links @debate.description %>
+ <%= auto_link_already_sanitized_html @debate.description %>
<%= render "shared/tags", taggable: @debate %>
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index cba9e6ec0..d0d219c62 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -4,8 +4,8 @@
<%= render "devise/omniauth_form" %>
- <%= t("devise_views.shared.links.signup",
- signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path)).html_safe %>
+ <%= sanitize(t("devise_views.shared.links.signup",
+ signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path))) %>
<%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
diff --git a/app/views/direct_messages/new.html.erb b/app/views/direct_messages/new.html.erb
index 30078978e..8c0635a26 100644
--- a/app/views/direct_messages/new.html.erb
+++ b/app/views/direct_messages/new.html.erb
@@ -9,8 +9,8 @@
<% if not current_user %>
- <%= t("users.login_to_continue",
- signin: link_to_signin, signup: link_to_signup).html_safe %>
+ <%= sanitize(t("users.login_to_continue",
+ signin: link_to_signin, signup: link_to_signup)) %>
<% elsif not @receiver.email_on_direct_message? %>
@@ -33,8 +33,8 @@
<% else %>
- <%= t("users.direct_messages.new.verified_only",
- verify_account: link_to_verify_account).html_safe %>
+ <%= sanitize(t("users.direct_messages.new.verified_only",
+ verify_account: link_to_verify_account)) %>
<% end %>
diff --git a/app/views/direct_messages/show.html.erb b/app/views/direct_messages/show.html.erb
index 3757524cc..7a3ce847a 100644
--- a/app/views/direct_messages/show.html.erb
+++ b/app/views/direct_messages/show.html.erb
@@ -10,6 +10,6 @@
<%= @direct_message.title %>
-
<%= simple_format text_with_links(@direct_message.body), {}, sanitize: false %>
+
<%= simple_format sanitize_and_auto_link(@direct_message.body), {}, sanitize: false %>
diff --git a/app/views/kaminari/_first_page.html.erb b/app/views/kaminari/_first_page.html.erb
index e8afb0431..a5335a30b 100644
--- a/app/views/kaminari/_first_page.html.erb
+++ b/app/views/kaminari/_first_page.html.erb
@@ -1,3 +1,3 @@
- <%= link_to t("views.pagination.first").html_safe, kaminari_path(url), :remote => remote %>
+ <%= link_to t("views.pagination.first"), kaminari_path(url), :remote => remote %>
diff --git a/app/views/kaminari/_gap.html.erb b/app/views/kaminari/_gap.html.erb
index fc2dbed0f..f5932a473 100644
--- a/app/views/kaminari/_gap.html.erb
+++ b/app/views/kaminari/_gap.html.erb
@@ -1,3 +1,3 @@
- <%= t("views.pagination.truncate").html_safe %>
+ <%= sanitize(t("views.pagination.truncate")) %>
diff --git a/app/views/kaminari/_last_page.html.erb b/app/views/kaminari/_last_page.html.erb
index 5a49bd7e2..697b3bd15 100644
--- a/app/views/kaminari/_last_page.html.erb
+++ b/app/views/kaminari/_last_page.html.erb
@@ -1,3 +1,3 @@
- <%= link_to t("views.pagination.last").html_safe, kaminari_path(url), :remote => remote %>
+ <%= link_to t("views.pagination.last"), kaminari_path(url), :remote => remote %>
diff --git a/app/views/kaminari/_next_page.html.erb b/app/views/kaminari/_next_page.html.erb
index 11c700900..366367031 100644
--- a/app/views/kaminari/_next_page.html.erb
+++ b/app/views/kaminari/_next_page.html.erb
@@ -1,3 +1,3 @@
diff --git a/app/views/kaminari/_prev_page.html.erb b/app/views/kaminari/_prev_page.html.erb
index aba1d9369..d0147ff5c 100644
--- a/app/views/kaminari/_prev_page.html.erb
+++ b/app/views/kaminari/_prev_page.html.erb
@@ -1,3 +1,3 @@
diff --git a/app/views/layouts/_flash.html.erb b/app/views/layouts/_flash.html.erb
index a0f129224..6f881eeba 100644
--- a/app/views/layouts/_flash.html.erb
+++ b/app/views/layouts/_flash.html.erb
@@ -5,7 +5,7 @@
×
- <%= flash_message.try(:html_safe) %>
+ <%= sanitize(flash_message) %>
diff --git a/app/views/layouts/_footer.html.erb b/app/views/layouts/_footer.html.erb
index 1337be64b..383469811 100644
--- a/app/views/layouts/_footer.html.erb
+++ b/app/views/layouts/_footer.html.erb
@@ -2,14 +2,13 @@
- <%= link_to t("layouts.header.open_gov", open: "#{t("layouts.header.open")}").html_safe %>
+ <%= link_to t("layouts.header.open_gov", open: t("layouts.header.open")), root_path %>
- <%= t("layouts.footer.description",
+ <%= sanitize(t("layouts.footer.description",
open_source: link_to(t("layouts.footer.open_source"), t("layouts.footer.open_source_url"), target: "blank", rel: "nofollow"),
- consul: link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow")).html_safe
- %>
+ consul: link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow"))) %>
<%= t("layouts.footer.contact_us") %>
@@ -38,7 +37,7 @@
<% if setting["twitter_handle"] %>
<%= link_to "https://twitter.com/#{setting["twitter_handle"]}", target: "_blank",
- title: t("shared.go_to_page") + t("social.twitter", org: setting["org_name"]) + t("shared.target_blank_html") do %>
+ title: t("shared.go_to_page") + t("social.twitter", org: setting["org_name"]) + t("shared.target_blank") do %>
<%= t("social.twitter", org: setting["org_name"]) %>
<% end %>
@@ -47,7 +46,7 @@
<% if setting["facebook_handle"] %>
<%= link_to "https://www.facebook.com/#{setting["facebook_handle"]}/", target: "_blank",
- title: t("shared.go_to_page") + t("social.facebook", org: setting["org_name"]) + t("shared.target_blank_html") do %>
+ title: t("shared.go_to_page") + t("social.facebook", org: setting["org_name"]) + t("shared.target_blank") do %>
<%= t("social.facebook", org: setting["org_name"]) %>
<%= link_to "https://www.youtube.com/#{setting["youtube_handle"]}", target: "_blank",
- title: t("shared.go_to_page") + t("social.youtube", org: setting["org_name"]) + t("shared.target_blank_html") do %>
+ title: t("shared.go_to_page") + t("social.youtube", org: setting["org_name"]) + t("shared.target_blank") do %>
<%= t("social.youtube", org: setting["org_name"]) %>
<%= link_to "https://www.telegram.me/#{setting["telegram_handle"]}", target: "_blank",
- title: t("shared.go_to_page") + t("social.telegram", org: setting["org_name"]) + t("shared.target_blank_html") do %>
+ title: t("shared.go_to_page") + t("social.telegram", org: setting["org_name"]) + t("shared.target_blank") do %>
<%= t("social.telegram", org: setting["org_name"]) %>
<%= link_to "https://www.instagram.com/#{setting["instagram_handle"]}", target: "_blank",
- title: t("shared.go_to_page") + t("social.instagram", org: setting["org_name"]) + t("shared.target_blank_html") do %>
+ title: t("shared.go_to_page") + t("social.instagram", org: setting["org_name"]) + t("shared.target_blank") do %>
<%= t("social.instagram", org: setting["org_name"]) %>
">
+ count: current_user.notifications_count) %>">
<%= t("layouts.header.notification_item.new_notifications",
- count: current_user.notifications_count).html_safe %>
+ count: current_user.notifications_count) %>
<% else %>
<%= content_for :social_media_meta_tags %>
- <%= setting["html.per_page_code_head"].try(:html_safe) %>
+ <%= raw setting["html.per_page_code_head"] %>
- <%= setting["html.per_page_code_body"].try(:html_safe) %>
+ <%= raw setting["html.per_page_code_body"] %>
<%= setting["org_name"] %>
<%= render "layouts/header", with_subnavigation: true %>
-
+ <% end %>
<%= render "layouts/flash" %>
diff --git a/app/views/layouts/dashboard.html.erb b/app/views/layouts/dashboard.html.erb
index f19b8bdf9..9d01ca19c 100644
--- a/app/views/layouts/dashboard.html.erb
+++ b/app/views/layouts/dashboard.html.erb
@@ -18,10 +18,10 @@
type: "image/png" %>
<%= content_for :social_media_meta_tags %>
- <%= setting["per_page_code_head"].try(:html_safe) %>
+ <%= raw setting["per_page_code_head"] %>
- <%= setting["per_page_code_body"].try(:html_safe) %>
+ <%= raw setting["per_page_code_body"] %>
<%= setting["org_name"] %>
diff --git a/app/views/layouts/devise.html.erb b/app/views/layouts/devise.html.erb
index 368625e18..f2cb29bba 100644
--- a/app/views/layouts/devise.html.erb
+++ b/app/views/layouts/devise.html.erb
@@ -3,11 +3,11 @@
<%= render "layouts/common_head", default_title: "Gobierno abierto" %>
<%= render "layouts/meta_tags" %>
- <%= setting["html.per_page_code_head"].try(:html_safe) %>
+ <%= raw setting["html.per_page_code_head"] %>
- <%= setting["html.per_page_code_body"].try(:html_safe) %>
+ <%= raw setting["html.per_page_code_body"] %>
diff --git a/app/views/layouts/proposals_dashboard.html.erb b/app/views/layouts/proposals_dashboard.html.erb
index bcad88bbf..3ae31f738 100644
--- a/app/views/layouts/proposals_dashboard.html.erb
+++ b/app/views/layouts/proposals_dashboard.html.erb
@@ -18,10 +18,10 @@
type: "image/png" %>
<%= content_for :social_media_meta_tags %>
- <%= setting["per_page_code_head"].try(:html_safe) %>
+ <%= raw setting["per_page_code_head"] %>
- <%= setting["per_page_code_body"].try(:html_safe) %>
+ <%= raw setting["per_page_code_body"] %>
<%= setting["org_name"] %>
diff --git a/app/views/legislation/annotations/_comments_box.html.erb b/app/views/legislation/annotations/_comments_box.html.erb
index b9e8eea70..c1d1f24fd 100644
--- a/app/views/legislation/annotations/_comments_box.html.erb
+++ b/app/views/legislation/annotations/_comments_box.html.erb
@@ -37,8 +37,8 @@
- <%= t("users.login_to_comment",
- signin: link_to_signin, signup: link_to_signup).html_safe %>
+ <%= sanitize(t("users.login_to_comment",
+ signin: link_to_signin, signup: link_to_signup)) %>
diff --git a/app/views/legislation/annotations/index.html.erb b/app/views/legislation/annotations/index.html.erb
index 83f0e9d07..ac439a823 100644
--- a/app/views/legislation/annotations/index.html.erb
+++ b/app/views/legislation/annotations/index.html.erb
@@ -22,7 +22,7 @@
<% end %>
<%= link_to legislation_process_draft_version_annotation_path(@process, @draft_version, annotation) do %>
<%= t(".comments_count", count: annotation.comments_count) %>
diff --git a/app/views/legislation/annotations/show.html.erb b/app/views/legislation/annotations/show.html.erb
index 63af27f72..f8aeeb655 100644
--- a/app/views/legislation/annotations/show.html.erb
+++ b/app/views/legislation/annotations/show.html.erb
@@ -19,7 +19,7 @@
diff --git a/app/views/legislation/processes/_help_gif.html.erb b/app/views/legislation/processes/_help_gif.html.erb
index fdf00a2c5..19e47a506 100644
--- a/app/views/legislation/processes/_help_gif.html.erb
+++ b/app/views/legislation/processes/_help_gif.html.erb
@@ -11,8 +11,8 @@
<%= t("annotator.help.alt") %>
<% else %>
- <%= t("annotator.help.text",
- sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+ <%= sanitize(t("annotator.help.text",
+ sign_in: link_to_signin, sign_up: link_to_signup)) %>
<% end %>
diff --git a/app/views/legislation/proposals/_featured_votes.html.erb b/app/views/legislation/proposals/_featured_votes.html.erb
index 090a095ea..979d2e90b 100644
--- a/app/views/legislation/proposals/_featured_votes.html.erb
+++ b/app/views/legislation/proposals/_featured_votes.html.erb
@@ -22,7 +22,7 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
- <%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
+ <%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
<% elsif !user_signed_in? %>
diff --git a/app/views/legislation/proposals/_form.html.erb b/app/views/legislation/proposals/_form.html.erb
index 052aa7186..d0c387482 100644
--- a/app/views/legislation/proposals/_form.html.erb
+++ b/app/views/legislation/proposals/_form.html.erb
@@ -65,7 +65,7 @@
label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
- ).html_safe %>
+ ) %>
<% end %>
diff --git a/app/views/legislation/proposals/_votes.html.erb b/app/views/legislation/proposals/_votes.html.erb
index a2e9bedad..e60c4e2d4 100644
--- a/app/views/legislation/proposals/_votes.html.erb
+++ b/app/views/legislation/proposals/_votes.html.erb
@@ -54,8 +54,8 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
- <%= t("legislation.proposals.not_verified",
- verify_account: link_to_verify_account).html_safe %>
+ <%= sanitize(t("legislation.proposals.not_verified",
+ verify_account: link_to_verify_account)) %>
<% elsif !user_signed_in? %>
diff --git a/app/views/legislation/proposals/show.html.erb b/app/views/legislation/proposals/show.html.erb
index d6f44c592..7f21c1506 100644
--- a/app/views/legislation/proposals/show.html.erb
+++ b/app/views/legislation/proposals/show.html.erb
@@ -68,7 +68,7 @@
<% end %>
- <%= safe_html_with_links @proposal.description %>
+ <%= auto_link_already_sanitized_html @proposal.description %>
<% if @proposal.video_url.present? %>
@@ -76,7 +76,7 @@
<%= t("proposals.show.title_video_url") %>
- <%= text_with_links @proposal.video_url %>
+ <%= sanitize_and_auto_link @proposal.video_url %>
<% end %>
diff --git a/app/views/legislation/questions/_participation_not_allowed.html.erb b/app/views/legislation/questions/_participation_not_allowed.html.erb
index 9057fde1a..9bbc88c9a 100644
--- a/app/views/legislation/questions/_participation_not_allowed.html.erb
+++ b/app/views/legislation/questions/_participation_not_allowed.html.erb
@@ -7,14 +7,14 @@
<% elsif user_signed_in? && current_user.unverified? %>
- <%= t("legislation.questions.participation.verified_only",
- verify_account: link_to_verify_account).html_safe %>
+ <%= sanitize(t("legislation.questions.participation.verified_only",
+ verify_account: link_to_verify_account)) %>
<% elsif !user_signed_in? %>
- <%= t("legislation.questions.participation.unauthenticated",
- signin: link_to_signin, signup: link_to_signup).html_safe %>
+ <%= sanitize(t("legislation.questions.participation.unauthenticated",
+ signin: link_to_signin, signup: link_to_signup)) %>
<% elsif !@process.debate_phase.open? %>
diff --git a/app/views/mailer/budget_investment_created.html.erb b/app/views/mailer/budget_investment_created.html.erb
index 8942a1606..2ba7ef5c1 100644
--- a/app/views/mailer/budget_investment_created.html.erb
+++ b/app/views/mailer/budget_investment_created.html.erb
@@ -5,19 +5,19 @@
- <%= t("mailers.budget_investment_created.intro_html",
- author: @investment.author.name).html_safe %>
+ <%= sanitize(t("mailers.budget_investment_created.intro",
+ author: @investment.author.name)) %>
- <%= t("mailers.budget_investment_created.text_html",
+ <%= sanitize(t("mailers.budget_investment_created.text",
investment: @investment.title,
- budget: @investment.budget.name).html_safe %>
+ budget: @investment.budget.name)) %>
- <%= t("mailers.budget_investment_created.follow_html",
- link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url)).html_safe %>
+ <%= sanitize(t("mailers.budget_investment_created.follow_html",
+ link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url))) %>
diff --git a/app/views/mailer/comment.html.erb b/app/views/mailer/comment.html.erb
index bfd576835..c0bd1c8f0 100644
--- a/app/views/mailer/comment.html.erb
+++ b/app/views/mailer/comment.html.erb
@@ -13,7 +13,7 @@
- <%= text_with_links @comment.body %>
+ <%= sanitize_and_auto_link @comment.body %>
diff --git a/app/views/mailer/direct_message_for_receiver.html.erb b/app/views/mailer/direct_message_for_receiver.html.erb
index 135da4884..b563ce621 100644
--- a/app/views/mailer/direct_message_for_receiver.html.erb
+++ b/app/views/mailer/direct_message_for_receiver.html.erb
@@ -4,7 +4,7 @@
- <%= simple_format text_with_links(@direct_message.body), {}, sanitize: false %>
+ <%= simple_format sanitize_and_auto_link(@direct_message.body), {}, sanitize: false %>
@@ -26,9 +26,9 @@
- <%= t("mailers.direct_message_for_receiver.unsubscribe",
+ <%= sanitize(t("mailers.direct_message_for_receiver.unsubscribe",
account: link_to(t("mailers.direct_message_for_receiver.unsubscribe_account"),
- account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
+ account_url, style: "color: #2895F1; text-decoration: none;"))) %>
diff --git a/app/views/mailer/direct_message_for_sender.html.erb b/app/views/mailer/direct_message_for_sender.html.erb
index da7bf7308..89124ab7b 100644
--- a/app/views/mailer/direct_message_for_sender.html.erb
+++ b/app/views/mailer/direct_message_for_sender.html.erb
@@ -10,6 +10,6 @@
- <%= simple_format text_with_links(@direct_message.body), {}, sanitize: false %>
+ <%= simple_format sanitize_and_auto_link(@direct_message.body), {}, sanitize: false %>
diff --git a/app/views/mailer/evaluation_comment.html.erb b/app/views/mailer/evaluation_comment.html.erb
index 0d695766d..85c842818 100644
--- a/app/views/mailer/evaluation_comment.html.erb
+++ b/app/views/mailer/evaluation_comment.html.erb
@@ -14,6 +14,6 @@
<%= t("mailers.evaluation_comment.commenter_info", commenter: @email.comment.author.name, time: l(@email.comment.created_at)) %>
- <%= simple_format text_with_links(@email.comment.body), {}, sanitize: false %>
+ <%= simple_format sanitize_and_auto_link(@email.comment.body), {}, sanitize: false %>
diff --git a/app/views/mailer/newsletter.html.erb b/app/views/mailer/newsletter.html.erb
index c310f2596..e77eaa1f0 100644
--- a/app/views/mailer/newsletter.html.erb
+++ b/app/views/mailer/newsletter.html.erb
@@ -1,5 +1,5 @@
- <%= safe_html_with_links @newsletter.body.html_safe %>
+ <%= auto_link_already_sanitized_html WYSIWYGSanitizer.new.sanitize(@newsletter.body) %>
diff --git a/app/views/mailer/proposal_notification_digest.html.erb b/app/views/mailer/proposal_notification_digest.html.erb
index 671c5ffad..39d0e4107 100644
--- a/app/views/mailer/proposal_notification_digest.html.erb
+++ b/app/views/mailer/proposal_notification_digest.html.erb
@@ -61,9 +61,9 @@
- <%= t("mailers.proposal_notification_digest.unsubscribe",
+ <%= sanitize(t("mailers.proposal_notification_digest.unsubscribe",
account: link_to(t("mailers.proposal_notification_digest.unsubscribe_account"),
- account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
+ account_url, style: "color: #2895F1; text-decoration: none;"))) %>
diff --git a/app/views/mailer/reply.html.erb b/app/views/mailer/reply.html.erb
index 02478e3ad..d53815249 100644
--- a/app/views/mailer/reply.html.erb
+++ b/app/views/mailer/reply.html.erb
@@ -13,7 +13,7 @@
- <%= simple_format text_with_links(@email.reply.body), {}, sanitize: false %>
+ <%= simple_format sanitize_and_auto_link(@email.reply.body), {}, sanitize: false %>
diff --git a/app/views/management/document_verifications/invalid_document.html.erb b/app/views/management/document_verifications/invalid_document.html.erb
index 632432113..2f7101ca0 100644
--- a/app/views/management/document_verifications/invalid_document.html.erb
+++ b/app/views/management/document_verifications/invalid_document.html.erb
@@ -11,6 +11,6 @@
permissions: [:debates, :create_proposals] %>
- <%= t("management.document_verifications.has_no_account_html",
- link: link_to(t("management.document_verifications.link"), root_path, target: "_blank")).html_safe %>
+ <%= sanitize(t("management.document_verifications.has_no_account_html",
+ link: link_to(t("management.document_verifications.link"), root_path, target: "_blank"))) %>
diff --git a/app/views/milestones/_milestone.html.erb b/app/views/milestones/_milestone.html.erb
index 2e3ace7fb..6de305b85 100644
--- a/app/views/milestones/_milestone.html.erb
+++ b/app/views/milestones/_milestone.html.erb
@@ -25,7 +25,7 @@
<%= image_tag(milestone.image_url(:large), { id: "image_#{milestone.id}", alt: milestone.image.title, class: "margin" }) if milestone.image.present? %>
- <%= text_with_links milestone.description %>
+ <%= sanitize_and_auto_link milestone.description %>
<% if milestone.documents.present? %>
diff --git a/app/views/organizations/registrations/new.html.erb b/app/views/organizations/registrations/new.html.erb
index 705f27fde..1f6b4b22e 100644
--- a/app/views/organizations/registrations/new.html.erb
+++ b/app/views/organizations/registrations/new.html.erb
@@ -32,9 +32,9 @@
label: t("devise_views.users.registrations.new.terms",
terms: link_to(t("devise_views.users.registrations.new.terms_link"),
"/conditions",
- title: t("shared.target_blank_html"),
+ title: t("shared.target_blank"),
target: "_blank")
- ).html_safe %>
+ ) %>
<%= f.submit t("devise_views.organizations.registrations.new.submit"), class: "button expanded" %>
diff --git a/app/views/organizations/registrations/success.html.erb b/app/views/organizations/registrations/success.html.erb
index 550f06342..d526133bc 100644
--- a/app/views/organizations/registrations/success.html.erb
+++ b/app/views/organizations/registrations/success.html.erb
@@ -2,7 +2,7 @@
<%= t("devise_views.organizations.registrations.success.thank_you_html") %>
<%= t("devise_views.organizations.registrations.success.instructions_1_html") %>
<%= t("devise_views.organizations.registrations.success.instructions_2_html") %>
-
<%= t("devise_views.organizations.registrations.success.instructions_3_html") %>
+
<%= t("devise_views.organizations.registrations.success.instructions_3") %>
<%= link_to t("devise_views.organizations.registrations.success.back_to_index"),
root_path, class: "button margin-top expanded" %>
diff --git a/app/views/pages/custom_page.html.erb b/app/views/pages/custom_page.html.erb
index 58181259d..cdd06f9e0 100644
--- a/app/views/pages/custom_page.html.erb
+++ b/app/views/pages/custom_page.html.erb
@@ -9,7 +9,7 @@
<%= @custom_page.subtitle %>
<% end %>
- <%= safe_html_with_links AdminWYSIWYGSanitizer.new.sanitize(@custom_page.content) %>
+ <%= auto_link_already_sanitized_html AdminWYSIWYGSanitizer.new.sanitize(@custom_page.content) %>
- <%= t("pages.help.budgets.description",
- link: link_to(t("pages.help.budgets.link"), budgets_path)).html_safe %>
+ <%= sanitize(t("pages.help.budgets.description",
+ link: link_to(t("pages.help.budgets.link"), budgets_path))) %>
<%= image_tag "help/budgets_#{I18n.locale}.png", alt: t("pages.help.budgets.image_alt") %>
- <%= t("pages.help.budgets.figcaption_html") %>
+ <%= t("pages.help.budgets.figcaption") %>
diff --git a/app/views/pages/help/_debates.html.erb b/app/views/pages/help/_debates.html.erb
index 26c0fcfdd..bc6a3d6d4 100644
--- a/app/views/pages/help/_debates.html.erb
+++ b/app/views/pages/help/_debates.html.erb
@@ -4,16 +4,16 @@
<%= t("pages.help.debates.title") %>
- <%= t("pages.help.debates.description",
+ <%= sanitize(t("pages.help.debates.description",
org: setting["org_name"],
link: link_to(t("pages.help.debates.link"),
- debates_path)).html_safe %>
+ debates_path))) %>
- <%= t("pages.help.debates.feature_html",
+ <%= sanitize(t("pages.help.debates.feature_html",
link: link_to(t("pages.help.debates.feature_link", org: setting["org_name"]),
- new_user_registration_path)).html_safe %>
+ new_user_registration_path))) %>
diff --git a/app/views/pages/help/_polls.html.erb b/app/views/pages/help/_polls.html.erb
index c63aac6b8..7ce3a13cb 100644
--- a/app/views/pages/help/_polls.html.erb
+++ b/app/views/pages/help/_polls.html.erb
@@ -2,14 +2,14 @@
<%= t("pages.help.polls.title") %>
- <%= t("pages.help.polls.description",
- link: link_to(t("pages.help.polls.link"), polls_path)).html_safe %>
+ <%= sanitize(t("pages.help.polls.description",
+ link: link_to(t("pages.help.polls.link"), polls_path))) %>
- <%= t("pages.help.polls.feature_1",
+ <%= sanitize(t("pages.help.polls.feature_1",
link: link_to(t("pages.help.polls.feature_1_link", org_name: setting["org_name"]),
- new_user_registration_path)).html_safe %>
+ new_user_registration_path))) %>
diff --git a/app/views/pages/help/_processes.html.erb b/app/views/pages/help/_processes.html.erb
index abe64f4ab..da2f2b5ac 100644
--- a/app/views/pages/help/_processes.html.erb
+++ b/app/views/pages/help/_processes.html.erb
@@ -6,7 +6,7 @@
<% link = link_to(t("pages.help.processes.link"), legislation_processes_path) %>
- <%= t("pages.help.processes.description", link: link).html_safe %>
+ <%= sanitize(t("pages.help.processes.description", link: link)) %>
diff --git a/app/views/pages/help/_proposals.html.erb b/app/views/pages/help/_proposals.html.erb
index 6cc932242..acfd8ef60 100644
--- a/app/views/pages/help/_proposals.html.erb
+++ b/app/views/pages/help/_proposals.html.erb
@@ -4,13 +4,13 @@
<%= t("pages.help.proposals.title") %>
- <%= t("pages.help.proposals.description",
- link: link_to(t("pages.help.proposals.link"), proposals_path)).html_safe %>
+ <%= sanitize(t("pages.help.proposals.description",
+ link: link_to(t("pages.help.proposals.link"), proposals_path))) %>
<%= image_tag "help/proposals_#{I18n.locale}.png", alt: t("pages.help.proposals.image_alt") %>
- <%= t("pages.help.proposals.figcaption_html") %>
+ <%= t("pages.help.proposals.figcaption") %>
diff --git a/app/views/polls/_callout.html.erb b/app/views/polls/_callout.html.erb
index 4bb6e821d..19ff207da 100644
--- a/app/views/polls/_callout.html.erb
+++ b/app/views/polls/_callout.html.erb
@@ -1,9 +1,9 @@
<% unless can?(:answer, @poll) %>
<% if current_user.nil? %>
- <%= t("polls.show.cant_answer_not_logged_in",
+ <%= sanitize(t("polls.show.cant_answer_not_logged_in",
signin: link_to_signin(class: "probe-message"),
- signup: link_to_signup(class: "probe-message")).html_safe %>
+ signup: link_to_signup(class: "probe-message"))) %>
<% elsif current_user.unverified? %>
diff --git a/app/views/polls/_poll_header.html.erb b/app/views/polls/_poll_header.html.erb
index 95a0237b9..b94d03e39 100644
--- a/app/views/polls/_poll_header.html.erb
+++ b/app/views/polls/_poll_header.html.erb
@@ -9,7 +9,7 @@
<%= @poll.name %>
- <%= safe_html_with_links simple_format(@poll.summary) %>
+ <%= auto_link_already_sanitized_html simple_format(@poll.summary) %>
<% if @poll.geozones.any? %>
@@ -53,7 +53,7 @@
<%= t("proposals.show.title_video_url") %>
- <%= text_with_links @proposal.video_url %>
+ <%= sanitize_and_auto_link @proposal.video_url %>
<% end %>
@@ -63,7 +63,7 @@
<%= t("proposals.show.retired") %>:
<%= t("proposals.retire_options.#{@proposal.retired_reason}") unless @proposal.retired_reason == "other" %>
- <%= simple_format text_with_links(@proposal.retired_explanation), {}, sanitize: false %>
+ <%= simple_format sanitize_and_auto_link(@proposal.retired_explanation), {}, sanitize: false %>
<% end %>
diff --git a/app/views/proposals/_notifications.html.erb b/app/views/proposals/_notifications.html.erb
index 5ba0a87bf..c91058d27 100644
--- a/app/views/proposals/_notifications.html.erb
+++ b/app/views/proposals/_notifications.html.erb
@@ -11,7 +11,7 @@
<%= notification.title %>
<%= notification.created_at.to_date %>
- <%= simple_format text_with_links(notification.body), {}, sanitize: false %>
+ <%= simple_format sanitize_and_auto_link(notification.body), {}, sanitize: false %>
<%= render "proposal_notifications/actions", notification: notification %>
diff --git a/app/views/proposals/_votes.html.erb b/app/views/proposals/_votes.html.erb
index f1801d732..c78dfa720 100644
--- a/app/views/proposals/_votes.html.erb
+++ b/app/views/proposals/_votes.html.erb
@@ -29,7 +29,7 @@
- <%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
+ <%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
diff --git a/app/views/proposals/new.html.erb b/app/views/proposals/new.html.erb
index f7fc3b335..8c1da0eb9 100644
--- a/app/views/proposals/new.html.erb
+++ b/app/views/proposals/new.html.erb
@@ -5,7 +5,7 @@
<%= t("proposals.new.start_new") %>
- <%= link_to help_path(anchor: "proposals"), title: t("shared.target_blank_html"), target: "_blank" do %>
+ <%= link_to help_path(anchor: "proposals"), title: t("shared.target_blank"), target: "_blank" do %>
<%= t("proposals.new.more_info") %>
<% end %>
diff --git a/app/views/shared/_login_to_comment.html.erb b/app/views/shared/_login_to_comment.html.erb
index 3b63339b8..564198806 100644
--- a/app/views/shared/_login_to_comment.html.erb
+++ b/app/views/shared/_login_to_comment.html.erb
@@ -1,3 +1,3 @@
- <%= t("users.login_to_comment", signin: link_to_signin, signup: link_to_signup).html_safe %>
+ <%= sanitize(t("users.login_to_comment", signin: link_to_signin, signup: link_to_signup)) %>
diff --git a/app/views/shared/_login_to_vote.html.erb b/app/views/shared/_login_to_vote.html.erb
index 30c86b8f6..20ff9c5ce 100644
--- a/app/views/shared/_login_to_vote.html.erb
+++ b/app/views/shared/_login_to_vote.html.erb
@@ -1,3 +1,3 @@
- <%= t("users.login_to_continue", signin: link_to_signin, signup: link_to_signup).html_safe %>
+ <%= sanitize(t("users.login_to_continue", signin: link_to_signin, signup: link_to_signup)) %>
diff --git a/app/views/topics/_informative_text.html.erb b/app/views/topics/_informative_text.html.erb
index 1736ccb31..43604a623 100644
--- a/app/views/topics/_informative_text.html.erb
+++ b/app/views/topics/_informative_text.html.erb
@@ -6,7 +6,7 @@
<% else %>
- <%= t("community.show.create_first_community_topic.sub_first_theme",
- sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+ <%= sanitize(t("community.show.create_first_community_topic.sub_first_theme",
+ sign_in: link_to_signin, sign_up: link_to_signup)) %>
<% end %>
diff --git a/app/views/tracking/budget_investments/edit.html.erb b/app/views/tracking/budget_investments/edit.html.erb
index 70732675d..9a0cf01fd 100644
--- a/app/views/tracking/budget_investments/edit.html.erb
+++ b/app/views/tracking/budget_investments/edit.html.erb
@@ -7,6 +7,6 @@
<%= @investment.title %>
-<%= safe_html_with_links @investment.description %>
+<%= auto_link_already_sanitized_html @investment.description %>
<%= render "tracking/milestones/milestones", milestoneable: @investment %>
diff --git a/app/views/tracking/budget_investments/show.html.erb b/app/views/tracking/budget_investments/show.html.erb
index dfc90d727..78c118604 100644
--- a/app/views/tracking/budget_investments/show.html.erb
+++ b/app/views/tracking/budget_investments/show.html.erb
@@ -3,10 +3,10 @@
<%= t("tracking.budget_investments.show.title") %> <%= @investment.id %>
<%= @investment.title %>
-<%= safe_html_with_links @investment.description %>
+<%= auto_link_already_sanitized_html @investment.description %>
<% if @investment.external_url.present? %>
- <%= text_with_links @investment.external_url %>
+ <%= sanitize_and_auto_link @investment.external_url %>
<% end %>
<%= t("tracking.budget_investments.show.info") %>
diff --git a/app/views/users/registrations/new.html.erb b/app/views/users/registrations/new.html.erb
index c97b1befb..f296d3b69 100644
--- a/app/views/users/registrations/new.html.erb
+++ b/app/views/users/registrations/new.html.erb
@@ -7,8 +7,8 @@
<%= render "shared/errors", resource: resource %>
- <%= t("devise_views.users.registrations.new.organization_signup",
- signup_link: link_to(t("devise_views.users.registrations.new.organization_signup_link"), new_organization_registration_path)).html_safe %>
+ <%= sanitize(t("devise_views.users.registrations.new.organization_signup",
+ signup_link: link_to(t("devise_views.users.registrations.new.organization_signup_link"), new_organization_registration_path))) %>
@@ -40,9 +40,9 @@
title: t("devise_views.users.registrations.new.terms_title"),
label: t("devise_views.users.registrations.new.terms",
terms: link_to(t("devise_views.users.registrations.new.terms_link"), "/conditions",
- title: t("shared.target_blank_html"),
+ title: t("shared.target_blank"),
target: "_blank")
- ).html_safe %>
+ ) %>
<%= f.submit t("devise_views.users.registrations.new.submit"), class: "button expanded" %>
diff --git a/app/views/users/registrations/success.html.erb b/app/views/users/registrations/success.html.erb
index 900e29557..e622aeabe 100644
--- a/app/views/users/registrations/success.html.erb
+++ b/app/views/users/registrations/success.html.erb
@@ -1,7 +1,7 @@
<%= t("devise_views.users.registrations.success.title") %>
<%= t("devise_views.users.registrations.success.thank_you_html") %>
<%= t("devise_views.users.registrations.success.instructions_1_html") %>
-
<%= t("devise_views.users.registrations.success.instructions_2_html") %>
+
<%= t("devise_views.users.registrations.success.instructions_2") %>
<%= link_to t("devise_views.users.registrations.success.back_to_index"),
root_path, class: "button margin-top expanded" %>
diff --git a/app/views/valuation/budget_investments/show.html.erb b/app/views/valuation/budget_investments/show.html.erb
index 438b3df30..7d9874219 100644
--- a/app/views/valuation/budget_investments/show.html.erb
+++ b/app/views/valuation/budget_investments/show.html.erb
@@ -18,7 +18,7 @@
<% if @investment.external_url.present? %>
-
<%= text_with_links @investment.external_url %>
+
<%= sanitize_and_auto_link @investment.external_url %>
<% end %>
diff --git a/app/views/verification/residence/new.html.erb b/app/views/verification/residence/new.html.erb
index cb77a4f46..8f6d453c6 100644
--- a/app/views/verification/residence/new.html.erb
+++ b/app/views/verification/residence/new.html.erb
@@ -78,9 +78,9 @@
title: t("verification.residence.new.accept_terms_text_title"),
label: t("verification.residence.new.accept_terms_text",
terms_url: link_to(t("verification.residence.new.terms"), "/census_terms",
- title: t("shared.target_blank_html"),
+ title: t("shared.target_blank"),
target: "_blank")
- ).html_safe %>
+ ) %>
diff --git a/config/locales/en/budgets.yml b/config/locales/en/budgets.yml
index 92fd1b8bd..7871f5a61 100644
--- a/config/locales/en/budgets.yml
+++ b/config/locales/en/budgets.yml
@@ -10,7 +10,7 @@ en:
voted_html:
one: "You have voted
one investment."
other: "You have voted
%{count} investments."
- voted_info_html: "Your ballot is confirmed!"
+ voted_info: "Your ballot is confirmed!"
voted_info_2: "But you can change your vote at any time until this phase is closed."
zero: You have not voted any investment project.
reasons_for_not_balloting:
diff --git a/config/locales/en/devise_views.yml b/config/locales/en/devise_views.yml
index 41ceae937..2840069d7 100644
--- a/config/locales/en/devise_views.yml
+++ b/config/locales/en/devise_views.yml
@@ -52,7 +52,7 @@ en:
back_to_index: I understand; go back to main page
instructions_1_html: "
We will contact you soon to verify that you do in fact represent this collective."
instructions_2_html: While your
email is reviewed , we have sent you a
link to confirm your account .
- instructions_3_html: Once confirmed, you may begin to participate as an unverified collective.
+ instructions_3: Once confirmed, you may begin to participate as an unverified collective.
thank_you_html: Thank you for registering your collective on the website. It is now
pending verification .
title: Registration of organisation / collective
passwords:
@@ -124,6 +124,6 @@ en:
success:
back_to_index: I understand; go back to main page
instructions_1_html: Please
check your email - we have sent you a
link to confirm your account .
- instructions_2_html: Once confirmed, you may begin participation.
+ instructions_2: Once confirmed, you may begin participation.
thank_you_html: Thank you for registering for the website. You must now
confirm your email address .
title: Confirm your email address
diff --git a/config/locales/en/general.yml b/config/locales/en/general.yml
index fcdba9cca..105cbf783 100644
--- a/config/locales/en/general.yml
+++ b/config/locales/en/general.yml
@@ -773,7 +773,7 @@ en:
districts: "Districts"
districts_list: "Districts list"
categories: "Categories"
- target_blank_html: " (link opens in new window)"
+ target_blank: " (link opens in new window)"
you_are_in: "You are in"
unflag: Unflag
unfollow_entity: "Unfollow %{entity}"
diff --git a/config/locales/en/mailers.yml b/config/locales/en/mailers.yml
index 6434b8951..cf2341095 100644
--- a/config/locales/en/mailers.yml
+++ b/config/locales/en/mailers.yml
@@ -46,8 +46,8 @@ en:
budget_investment_created:
subject: "Thank you for creating an investment!"
title: "Thank you for creating an investment!"
- intro_html: "Hi
%{author} ,"
- text_html: "Thank you for creating your investment
%{investment} for Participatory Budgets
%{budget} ."
+ intro: "Hi
%{author} ,"
+ text: "Thank you for creating your investment
%{investment} for Participatory Budgets
%{budget} ."
follow_html: "We will inform you about how the process progresses, which you can also follow on
%{link} ."
follow_link: "Participatory Budgets"
sincerely: "Sincerely,"
diff --git a/config/locales/en/pages.yml b/config/locales/en/pages.yml
index 4cc92db43..abe473675 100644
--- a/config/locales/en/pages.yml
+++ b/config/locales/en/pages.yml
@@ -27,13 +27,13 @@ en:
description: "In the %{link} section you can make proposals for the City Council to carry them out. The proposals require support, and if they reach sufficient support, they are put to a public vote. The proposals approved in these citizens' votes are accepted by the City Council and carried out."
link: "citizen proposals"
image_alt: "Button to support a proposal"
- figcaption_html: 'Button to "Support" a proposal.'
+ figcaption: 'Button to "Support" a proposal.'
budgets:
title: "Participatory Budgeting"
description: "The %{link} section helps people make a direct decision on what part of the municipal budget is spent on."
link: "participative budgets"
image_alt: "Different phases of a participatory budget"
- figcaption_html: '"Support" and "Voting" phases of participatory budgets.'
+ figcaption: '"Support" and "Voting" phases of participatory budgets.'
polls:
title: "Polls"
description: "The %{link} section is activated each time a proposal reaches 1% support and goes to the vote or when the City Council proposes an issue for people to decide on."
diff --git a/config/locales/es/budgets.yml b/config/locales/es/budgets.yml
index 16ed2b4c0..a73292b76 100644
--- a/config/locales/es/budgets.yml
+++ b/config/locales/es/budgets.yml
@@ -10,7 +10,7 @@ es:
voted_html:
one: "Has votado
un proyecto."
other: "Has votado
%{count} proyectos."
- voted_info_html: "¡Tus votos están confirmados!"
+ voted_info: "¡Tus votos están confirmados!"
voted_info_2: "Pero puedes cambiarlos en cualquier momento hasta el cierre de esta fase."
zero: Todavía no has votado ningún proyecto de gasto.
reasons_for_not_balloting:
diff --git a/config/locales/es/devise_views.yml b/config/locales/es/devise_views.yml
index 9e2581d9a..5134b29e2 100644
--- a/config/locales/es/devise_views.yml
+++ b/config/locales/es/devise_views.yml
@@ -52,7 +52,7 @@ es:
back_to_index: Entendido, volver a la página principal
instructions_1_html: "En breve
nos pondremos en contacto contigo para verificar que realmente representas a este colectivo."
instructions_2_html: Mientras
revisa tu correo electrónico , te hemos enviado un
enlace para confirmar tu cuenta .
- instructions_3_html: Una vez confirmado, podrás empezar a participar como colectivo no verificado.
+ instructions_3: Una vez confirmado, podrás empezar a participar como colectivo no verificado.
thank_you_html: Gracias por registrar tu colectivo en la web. Ahora está
pendiente de verificación .
title: Registro de organización / colectivo
passwords:
@@ -124,6 +124,6 @@ es:
success:
back_to_index: Entendido, volver a la página principal
instructions_1_html: Por favor
revisa tu correo electrónico - te hemos enviado un
enlace para confirmar tu cuenta .
- instructions_2_html: Una vez confirmado, podrás empezar a participar.
+ instructions_2: Una vez confirmado, podrás empezar a participar.
thank_you_html: Gracias por registrarte en la web. Ahora debes
confirmar tu correo .
title: Revisa tu correo
diff --git a/config/locales/es/general.yml b/config/locales/es/general.yml
index 680e12920..eb25dd7fd 100644
--- a/config/locales/es/general.yml
+++ b/config/locales/es/general.yml
@@ -770,7 +770,7 @@ es:
districts: "Distritos"
districts_list: "Listado de distritos"
categories: "Categorías"
- target_blank_html: " (se abre en ventana nueva)"
+ target_blank: " (se abre en ventana nueva)"
you_are_in: "Estás en"
unflag: Deshacer denuncia
unfollow_entity: "Dejar de seguir %{entity}"
diff --git a/config/locales/es/mailers.yml b/config/locales/es/mailers.yml
index fa37c399a..5c0691c4a 100644
--- a/config/locales/es/mailers.yml
+++ b/config/locales/es/mailers.yml
@@ -46,8 +46,8 @@ es:
budget_investment_created:
subject: "¡Gracias por crear un proyecto!"
title: "¡Gracias por crear un proyecto!"
- intro_html: "Hola
%{author} ,"
- text_html: "Muchas gracias por crear tu proyecto
%{investment} para los Presupuestos Participativos
%{budget} ."
+ intro: "Hola
%{author} ,"
+ text: "Muchas gracias por crear tu proyecto
%{investment} para los Presupuestos Participativos
%{budget} ."
follow_html: "Te informaremos de cómo avanza el proceso, que también puedes seguir en la página de
%{link} ."
follow_link: "Presupuestos participativos"
sincerely: "Atentamente,"
diff --git a/config/locales/es/pages.yml b/config/locales/es/pages.yml
index 33835a1e3..333366f65 100644
--- a/config/locales/es/pages.yml
+++ b/config/locales/es/pages.yml
@@ -27,13 +27,13 @@ es:
description: "En la sección de %{link} puedes plantear propuestas para que el Ayuntamiento las lleve a cabo. Las propuestas recaban apoyos, y si alcanzan los apoyos suficientes se someten a votación ciudadana. Las propuestas aprobadas en estas votaciones ciudadanas son asumidas por el Ayuntamiento y se llevan a cabo."
link: "propuestas ciudadanas"
image_alt: "Botón para apoyar una propuesta"
- figcaption_html: 'Botón para "Apoyar" una propuesta.'
+ figcaption: 'Botón para "Apoyar" una propuesta.'
budgets:
title: "Presupuestos participativos"
description: "La sección de %{link} sirve para que la gente decida de manera directa a qué se destina una parte del presupuesto municipal."
link: "presupuestos participativos"
image_alt: "Diferentes fases de un presupuesto participativo"
- figcaption_html: 'Fase de "Apoyos" y fase de "Votación" de los presupuestos participativos.'
+ figcaption: 'Fase de "Apoyos" y fase de "Votación" de los presupuestos participativos.'
polls:
title: "Votaciones"
description: "La sección de %{link} se activa cada vez que una propuesta alcanza el 1% de apoyos y pasa a votación o cuando el Ayuntamiento propone un tema para que la gente decida sobre él."
diff --git a/lib/consul_form_builder.rb b/lib/consul_form_builder.rb
index 9cf822823..2433e867d 100644
--- a/lib/consul_form_builder.rb
+++ b/lib/consul_form_builder.rb
@@ -1,4 +1,6 @@
class ConsulFormBuilder < FoundationRailsHelper::FormBuilder
+ include ActionView::Helpers::SanitizeHelper
+
def enum_select(attribute, options = {}, html_options = {})
choices = object.class.send(attribute.to_s.pluralize).keys.map do |name|
[object.class.human_attribute_name("#{attribute}.#{name}"), name]
@@ -35,6 +37,14 @@ class ConsulFormBuilder < FoundationRailsHelper::FormBuilder
private
+ def custom_label(attribute, text, options)
+ if text == false
+ super
+ else
+ super(attribute, sanitize(label_text(object, attribute, text)), options)
+ end
+ end
+
def label_with_hint(attribute, options)
custom_label(attribute, options[:label], options[:label_options]) +
help_text(attribute, options)
diff --git a/lib/tasks/proposals.rake b/lib/tasks/proposals.rake
index 76b8a9f9d..6658b3cc1 100644
--- a/lib/tasks/proposals.rake
+++ b/lib/tasks/proposals.rake
@@ -12,7 +12,7 @@ namespace :proposals do
model.find_each do |resource|
if resource.external_url.present?
Globalize.with_locale(I18n.default_locale) do
- new_description = "#{resource.description}
#{text_with_links(resource.external_url)}
"
+ new_description = "#{resource.description}
#{sanitize_and_auto_link(resource.external_url)}
"
resource.description = new_description
resource.external_url = ""
resource.updated_at = Time.current
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
new file mode 100644
index 000000000..71447c976
--- /dev/null
+++ b/spec/features/xss_spec.rb
@@ -0,0 +1,109 @@
+require "rails_helper"
+
+describe "Cross-Site Scripting protection", :js do
+ let(:attack_code) { "" }
+
+ scenario "valuators in admin investments index" do
+ hacker = create(:user, username: attack_code)
+ investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)])
+
+ login_as(create(:administrator).user)
+ visit admin_budget_budget_investments_path(investment.budget)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "document title" do
+ process = create(:legislation_process)
+ create(:document, documentable: process, title: attack_code)
+
+ visit legislation_process_path(process)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "hacked translations" do
+ I18nContent.create(key: "admin.budget_investments.index.list.title", value: attack_code)
+
+ login_as(create(:administrator).user)
+ visit admin_budget_budget_investments_path(create(:budget_investment).budget)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "accept terms label" do
+ I18nContent.create(key: "form.accept_terms", value: attack_code)
+
+ login_as(create(:user))
+ visit new_debate_path
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "link to sign in" do
+ I18nContent.create(key: "budgets.investments.index.sidebar.not_logged_in", value: attack_code)
+ create(:budget, phase: "accepting")
+
+ visit budgets_path
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "proposal actions in dashboard" do
+ proposal = create(:proposal)
+
+ create(:dashboard_action, description: attack_code)
+
+ login_as(proposal.author)
+ visit recommended_actions_proposal_dashboard_path(proposal)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "new request for proposal action in dashboard" do
+ proposal = create(:proposal)
+ action = create(:dashboard_action, description: attack_code)
+
+ login_as(proposal.author)
+ visit new_request_proposal_dashboard_action_path(proposal, action)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "poll description setting in dashboard" do
+ Setting["proposals.poll_description"] = attack_code
+ proposal = create(:proposal)
+
+ login_as(proposal.author)
+ visit proposal_dashboard_polls_path(proposal)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "annotation context" do
+ annotation = create(:legislation_annotation)
+ annotation.update_column(:context, attack_code)
+
+ visit polymorphic_hierarchy_path(annotation)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "valuation explanations" do
+ investment = create(:budget_investment, price_explanation: attack_code)
+ valuator = create(:valuator, investments: [investment])
+
+ login_as(valuator.user)
+ visit valuation_budget_budget_investment_path(investment.budget, investment)
+
+ expect(page.text).not_to be_empty
+ end
+
+ scenario "markdown conversion" do
+ process = create(:legislation_process, description: attack_code)
+
+ visit legislation_process_path(process)
+
+ expect(page.text).not_to be_empty
+ end
+end
diff --git a/spec/mailers/dashboard/mailer_spec.rb b/spec/mailers/dashboard/mailer_spec.rb
index 0b7ad3a04..c51d9e6c1 100644
--- a/spec/mailers/dashboard/mailer_spec.rb
+++ b/spec/mailers/dashboard/mailer_spec.rb
@@ -182,8 +182,8 @@ describe Dashboard::Mailer do
"successfully created.")
expect(email).to have_body_text("Take advantage that your proposal is not public yet and "\
"get ready to contact a lot of people.")
- expect(email).to have_body_text(I18n.t("mailers.new_actions_notification_on_create.text_2",
- link: proposal_dashboard_url(proposal)).html_safe)
+ expect(email).to have_body_text("When you are ready publish your citizen proposal from this")
+ expect(email).to have_link "link", href: proposal_dashboard_url(proposal)
expect(email).to have_body_text("We know that creating a proposal with a hook and getting "\
"the necessary support can seem complicated. But dont "\
"worry because we are going to help you!")