Use sanitize in translations with links

Sometimes we're interpolating a link inside a translation, and marking the whole translations as HTML safe. However, some translations added by admins to the database or through crowdin are not entirely under our control. Although AFAIK crowdin checks for potential cross-site scripting attacks, it's a good practice to sanitize parts of a string potentially out of our control before marking the string as HTML safe.
2019-10-01 21:57:06 +02:00
parent 56f690b8a9
commit 928312e218
41 changed files with 95 additions and 89 deletions
--- a/app/views/budgets/index.html.erb
+++ b/app/views/budgets/index.html.erb
@@ -37,14 +37,14 @@
                            class: "button margin-top expanded" %>
              <% else %>
                <div class="callout warning margin-top">
-                  <%= t("budgets.investments.index.sidebar.verified_only",
+                  <%= sanitize(t("budgets.investments.index.sidebar.verified_only",
-                        verify: link_to_verify_account).html_safe %>
+                        verify: link_to_verify_account)) %>
                </div>
              <% end %>
            <% else %>
              <div class="callout primary margin-top">
-                <%= t("budgets.investments.index.sidebar.not_logged_in",
+                <%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
-                      sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+                      sign_in: link_to_signin, sign_up: link_to_signup)) %>
              </div>
            <% end %>
          <% end %>
--- a/app/views/budgets/investments/_ballot.html.erb
+++ b/app/views/budgets/investments/_ballot.html.erb
@@ -51,11 +51,11 @@
      <p>
        <small>
-          <%= t("budgets.ballots.reasons_for_not_balloting.#{reason}",
+          <%= sanitize(t("budgets.ballots.reasons_for_not_balloting.#{reason}",
                verify_account: link_to_verify_account, signin: link_to_signin,
                signup: link_to_signup, my_heading: my_heading,
                change_ballot: change_ballot,
-                heading_link: heading_link(@assigned_heading, @budget)).html_safe %>
+                heading_link: heading_link(@assigned_heading, @budget))) %>
        </small>
      </p>
    </div>
--- a/app/views/budgets/investments/_header.html.erb
+++ b/app/views/budgets/investments/_header.html.erb
@@ -40,9 +40,9 @@
                        heading_link: heading_link(@assigned_heading, @budget)) %>
                  <br>
                  <small>
-                    <%= t("budgets.investments.header.change_ballot",
+                    <%= sanitize(t("budgets.investments.header.change_ballot",
                        check_ballot: link_to(t("budgets.investments.header.check_ballot_link"),
-                                      budget_ballot_path(@budget))).html_safe %>
+                                      budget_ballot_path(@budget)))) %>
                  </small>
                </div>
              </div>
--- a/app/views/budgets/investments/_sidebar.html.erb
+++ b/app/views/budgets/investments/_sidebar.html.erb
@@ -6,17 +6,17 @@
               new_budget_investment_path(budget_id: @budget.id), class: "button budget expanded" %>
  <% else %>
    <div class="callout warning">
-      <%= t("budgets.investments.index.sidebar.verified_only",
+      <%= sanitize(t("budgets.investments.index.sidebar.verified_only",
-          verify: link_to_verify_account).html_safe %>
+          verify: link_to_verify_account)) %>
    </div>
  <% end %>
 <% end %>
 <% if @heading && can?(:show, @ballot) %>
  <p class="callout">
-    <%= t("budgets.investments.index.sidebar.voted_info",
+    <%= sanitize(t("budgets.investments.index.sidebar.voted_info",
        link: link_to(t("budgets.investments.index.sidebar.voted_info_link"),
-            budget_ballot_path(@budget))).html_safe %>
+            budget_ballot_path(@budget)))) %>
  </p>
 <% end %>
@@ -52,9 +52,9 @@
            ) %>
      <br>
      <small>
-        <%= t("budgets.investments.index.sidebar.change_ballot",
+        <%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
            check_ballot: link_to(t("budgets.investments.index.sidebar.check_ballot_link"),
-                          budget_ballot_path(@budget))).html_safe %>
+                          budget_ballot_path(@budget)))) %>
      </small>
    </p>
  <% else %>
--- a/app/views/budgets/investments/_votes.html.erb
+++ b/app/views/budgets/investments/_votes.html.erb
@@ -31,13 +31,13 @@
    <div class="js-participation-not-allowed participation-not-allowed" style="display:none" aria-hidden="false">
      <p>
        <small>
-          <%= t("votes.budget_investments.#{reason}",
+          <%= sanitize(t("votes.budget_investments.#{reason}",
                count: investment.group.max_votable_headings,
                verify_account: link_to_verify_account,
                signin: link_to_signin,
                signup: link_to_signup,
                supported_headings: (current_user && current_user.headings_voted_within_group(investment.group).map(&:name).sort.to_sentence)
-               ).html_safe %>
+               )) %>
        </small>
      </p>
    </div>
--- a/app/views/budgets/show.html.erb
+++ b/app/views/budgets/show.html.erb
@@ -23,14 +23,14 @@
            <%= link_to t("budgets.investments.index.sidebar.create"), new_budget_investment_path(@budget), class: "button margin-top expanded" %>
          <% else %>
            <div class="callout warning margin-top">
-              <%= t("budgets.investments.index.sidebar.verified_only",
+              <%= sanitize(t("budgets.investments.index.sidebar.verified_only",
-                  verify: link_to_verify_account).html_safe %>
+                  verify: link_to_verify_account)) %>
            </div>
          <% end %>
        <% else %>
          <div class="callout primary margin-top">
-            <%= t("budgets.investments.index.sidebar.not_logged_in",
+            <%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
-                  sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+                  sign_in: link_to_signin, sign_up: link_to_signup)) %>
          </div>
        <% end %>
      <% end %>
--- a/app/views/comments/_comment_tree.html.erb
+++ b/app/views/comments/_comment_tree.html.erb
@@ -24,7 +24,7 @@
          <% elsif require_verified_resident_for_commentable?(commentable, current_user) %>
            <br>
            <div data-alert class="callout primary">
-              <%= t("comments.verified_only", verify_account: link_to_verify_account).html_safe %>
+              <%= sanitize(t("comments.verified_only", verify_account: link_to_verify_account)) %>
            </div>
          <% elsif allow_comments %>
            <%= render "comments/form", { commentable: commentable,
--- a/app/views/comments/_votes.html.erb
+++ b/app/views/comments/_votes.html.erb
@@ -81,9 +81,7 @@
    </div>
    <div class="participation-not-allowed" style="display:none" aria-hidden="false">
-      <%= t("votes.comment_unauthenticated",
+      <%= sanitize(t("votes.comment_unauthenticated", signin: link_to_signin, signup: link_to_signup)) %>
        signin: link_to_signin,
        signup: link_to_signup).html_safe %>
    </div>
  <% end %>
 </div>
--- a/app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
@@ -6,7 +6,7 @@
  <p>
    <%= t("mailers.new_actions_notification_on_create.text_1") %>
    <br>
-    <%= t("mailers.new_actions_notification_on_create.text_2", link: proposal_dashboard_url(@proposal)).html_safe %>
+    <%= sanitize(t("mailers.new_actions_notification_on_create.text_2", link: proposal_dashboard_url(@proposal))) %>
  </p>
  <p><%= t("mailers.new_actions_notification_on_create.text_3") %></p>
  <p><%= t("mailers.new_actions_notification_on_create.text_4") %></p>
--- a/app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
@@ -10,9 +10,9 @@
           title: @proposal.title) %>
  </p>
  <p>
-    <%= t("mailers.new_actions_notification_rake_created.text_1",
+    <%= sanitize(t("mailers.new_actions_notification_rake_created.text_1",
           link_to_published: link_to(proposal_dashboard_url(@proposal),
-                                      proposal_dashboard_url(@proposal))).html_safe %>
+                                      proposal_dashboard_url(@proposal)))) %>
  </p>
  <p><%= t("mailers.new_actions_notification_rake_created.text_2") %></p>
  <br>
--- a/app/views/debates/_votes.html.erb
+++ b/app/views/debates/_votes.html.erb
@@ -52,7 +52,7 @@
  <% elsif user_signed_in? && !debate.votable_by?(current_user) %>
    <div class="participation-not-allowed" style="display:none" aria-hidden="false">
      <p>
-        <%= t("votes.anonymous", verify_account: link_to_verify_account).html_safe %>
+        <%= sanitize(t("votes.anonymous", verify_account: link_to_verify_account)) %>
      </p>
    </div>
  <% elsif !user_signed_in? %>
--- a/app/views/debates/index.html.erb
+++ b/app/views/debates/index.html.erb
@@ -86,8 +86,8 @@
          </p>
          <p><%= t("debates.index.section_footer.description") %></p>
          <p><%= t("debates.index.section_footer.help_text_1") %></p>
-          <p><%= t("debates.index.section_footer.help_text_2",
+          <p><%= sanitize(t("debates.index.section_footer.help_text_2",
-                    org: link_to(setting["org_name"], new_user_registration_path)).html_safe %></p>
+                    org: link_to(setting["org_name"], new_user_registration_path))) %></p>
          </p>
        </div>
      <% end %>
--- a/app/views/debates/new.html.erb
+++ b/app/views/debates/new.html.erb
@@ -5,8 +5,8 @@
    <h1><%= t("debates.new.start_new") %></h1>
    <div data-alert class="callout primary">
-      <%= t("debates.new.info",
+      <%= sanitize(t("debates.new.info",
-      info_link: link_to(t("debates.new.info_link"), new_proposal_path)).html_safe %>
+      info_link: link_to(t("debates.new.info_link"), new_proposal_path))) %>
      <% if feature?(:help_page) %>
        <%= link_to help_path, title: t("shared.target_blank"), target: "_blank" do %>
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -4,8 +4,8 @@
 <%= render "devise/omniauth_form" %>
 <p>
-  <%= t("devise_views.shared.links.signup",
+  <%= sanitize(t("devise_views.shared.links.signup",
-      signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path)).html_safe %>
+      signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path))) %>
 </p>
 <%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
--- a/app/views/direct_messages/new.html.erb
+++ b/app/views/direct_messages/new.html.erb
@@ -9,8 +9,8 @@
    <% if not current_user %>
      <div class="callout primary">
        <p>
-          <%= t("users.login_to_continue",
+          <%= sanitize(t("users.login_to_continue",
-            signin: link_to_signin, signup: link_to_signup).html_safe %>
+            signin: link_to_signin, signup: link_to_signup)) %>
        </p>
      </div>
    <% elsif not @receiver.email_on_direct_message? %>
@@ -33,8 +33,8 @@
    <% else %>
      <div class="callout warning">
        <p>
-          <%= t("users.direct_messages.new.verified_only",
+          <%= sanitize(t("users.direct_messages.new.verified_only",
-                verify_account: link_to_verify_account).html_safe %>
+                verify_account: link_to_verify_account)) %>
        </p>
      </div>
    <% end %>
--- a/app/views/layouts/_footer.html.erb
+++ b/app/views/layouts/_footer.html.erb
@@ -6,10 +6,9 @@
      </h1>
      <p class="info">
-        <%= t("layouts.footer.description",
+        <%= sanitize(t("layouts.footer.description",
          open_source: link_to(t("layouts.footer.open_source"), t("layouts.footer.open_source_url"), target: "blank", rel: "nofollow"),
-          consul:  link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow")).html_safe
+          consul:  link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow"))) %>
        %>
        <%= t("layouts.footer.contact_us") %>
      </p>
    </div>
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -30,12 +30,12 @@
          </button>
          <h2><%= t("layouts.application.ie_title") %></h2>
          <p>
-            <%= t("layouts.application.ie",
+            <%= sanitize(t("layouts.application.ie",
            chrome: link_to(
                    t("layouts.application.chrome"), "https://www.google.com/chrome/browser/desktop/", title: t("shared.target_blank"), target: "_blank"),
            firefox: link_to(
                     t("layouts.application.firefox"), "https://www.mozilla.org/firefox", title: t("shared.target_blank"), target: "_blank")
-            ).html_safe %>
+            )) %>
          </p>
        </div>
      <![endif]-->
--- a/app/views/legislation/annotations/_comments_box.html.erb
+++ b/app/views/legislation/annotations/_comments_box.html.erb
@@ -37,8 +37,8 @@
      <div>
        <div class="participation-not-allowed" style="display: none;" aria-hidden="false">
-          <%= t("users.login_to_comment",
+          <%= sanitize(t("users.login_to_comment",
-              signin: link_to_signin, signup: link_to_signup).html_safe %>
+              signin: link_to_signin, signup: link_to_signup)) %>
        </div>
      </div>
--- a/app/views/legislation/processes/_help_gif.html.erb
+++ b/app/views/legislation/processes/_help_gif.html.erb
@@ -11,8 +11,8 @@
          <%= t("annotator.help.alt") %>
        <% else %>
          <p>
-            <%= t("annotator.help.text",
+            <%= sanitize(t("annotator.help.text",
-                sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+                sign_in: link_to_signin, sign_up: link_to_signup)) %>
          </p>
        <% end %>
--- a/app/views/legislation/proposals/_featured_votes.html.erb
+++ b/app/views/legislation/proposals/_featured_votes.html.erb
@@ -22,7 +22,7 @@
  <% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
    <div class="participation-not-allowed" style="display:none" aria-hidden="false">
      <p>
-        <%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
+        <%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
      </p>
    </div>
  <% elsif !user_signed_in? %>
--- a/app/views/legislation/proposals/_votes.html.erb
+++ b/app/views/legislation/proposals/_votes.html.erb
@@ -54,8 +54,8 @@
  <% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
    <div class="participation-not-allowed" style="display:none" aria-hidden="false">
      <p>
-        <%= t("legislation.proposals.not_verified",
+        <%= sanitize(t("legislation.proposals.not_verified",
-            verify_account: link_to_verify_account).html_safe %>
+            verify_account: link_to_verify_account)) %>
      </p>
    </div>
  <% elsif !user_signed_in? %>
--- a/app/views/legislation/questions/_participation_not_allowed.html.erb
+++ b/app/views/legislation/questions/_participation_not_allowed.html.erb
@@ -7,14 +7,14 @@
 <% elsif user_signed_in? && current_user.unverified? %>
  <div class="participation-not-allowed" style="display:none" aria-hidden="false">
    <p>
-      <%= t("legislation.questions.participation.verified_only",
+      <%= sanitize(t("legislation.questions.participation.verified_only",
-          verify_account: link_to_verify_account).html_safe %>
+          verify_account: link_to_verify_account)) %>
    </p>
  </div>
 <% elsif !user_signed_in? %>
  <div class="participation-not-allowed" style="display:none" aria-hidden="false">
-    <%= t("legislation.questions.participation.unauthenticated",
+    <%= sanitize(t("legislation.questions.participation.unauthenticated",
-          signin: link_to_signin, signup: link_to_signup).html_safe %>
+          signin: link_to_signin, signup: link_to_signup)) %>
  </div>
 <% elsif !@process.debate_phase.open? %>
  <div class="participation-not-allowed" style="display:none" aria-hidden="false">
--- a/app/views/mailer/budget_investment_created.html.erb
+++ b/app/views/mailer/budget_investment_created.html.erb
@@ -16,8 +16,8 @@
  </p>
  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.budget_investment_created.follow_html",
+    <%= sanitize(t("mailers.budget_investment_created.follow_html",
-           link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url)).html_safe %>
+           link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url))) %>
  </p>
  <table style="width: 100%;">
--- a/app/views/mailer/direct_message_for_receiver.html.erb
+++ b/app/views/mailer/direct_message_for_receiver.html.erb
@@ -26,9 +26,9 @@
      <tr>
        <td style="padding-left: 10px;">
          <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px; margin: 0; font-style: italic; padding-bottom: 20px;">
-            <%= t("mailers.direct_message_for_receiver.unsubscribe",
+            <%= sanitize(t("mailers.direct_message_for_receiver.unsubscribe",
                account: link_to(t("mailers.direct_message_for_receiver.unsubscribe_account"),
-                                account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
+                                account_url, style: "color: #2895F1; text-decoration: none;"))) %>
          </p>
        </td>
      </tr>
--- a/app/views/mailer/proposal_notification_digest.html.erb
+++ b/app/views/mailer/proposal_notification_digest.html.erb
@@ -61,9 +61,9 @@
      <tr>
        <td style="padding-left: 10px;">
          <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px; margin: 0; font-style: italic; padding-bottom: 20px;">
-            <%= t("mailers.proposal_notification_digest.unsubscribe",
+            <%= sanitize(t("mailers.proposal_notification_digest.unsubscribe",
                account: link_to(t("mailers.proposal_notification_digest.unsubscribe_account"),
-                                account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
+                                account_url, style: "color: #2895F1; text-decoration: none;"))) %>
          </p>
        </td>
      </tr>
--- a/app/views/management/document_verifications/invalid_document.html.erb
+++ b/app/views/management/document_verifications/invalid_document.html.erb
@@ -11,6 +11,6 @@
      permissions: [:debates, :create_proposals] %>
 <p>
-  <%= t("management.document_verifications.has_no_account_html",
+  <%= sanitize(t("management.document_verifications.has_no_account_html",
-      link: link_to(t("management.document_verifications.link"), root_path, target: "_blank")).html_safe %>
+      link: link_to(t("management.document_verifications.link"), root_path, target: "_blank"))) %>
 </p>
--- a/app/views/pages/help/_budgets.html.erb
+++ b/app/views/pages/help/_budgets.html.erb
@@ -4,8 +4,8 @@
      <%= t("pages.help.budgets.title") %>
    </h3>
    <p>
-      <%= t("pages.help.budgets.description",
+      <%= sanitize(t("pages.help.budgets.description",
-           link: link_to(t("pages.help.budgets.link"), budgets_path)).html_safe %>
+           link: link_to(t("pages.help.budgets.link"), budgets_path))) %>
    </p>
    <figure>
--- a/app/views/pages/help/_debates.html.erb
+++ b/app/views/pages/help/_debates.html.erb
@@ -4,16 +4,16 @@
      <%= t("pages.help.debates.title") %>
    </h3>
    <p>
-      <%= t("pages.help.debates.description",
+      <%= sanitize(t("pages.help.debates.description",
          org: setting["org_name"],
          link: link_to(t("pages.help.debates.link"),
-                              debates_path)).html_safe %>
+                              debates_path))) %>
    </p>
    <ul class="features">
      <li>
-        <%= t("pages.help.debates.feature_html",
+        <%= sanitize(t("pages.help.debates.feature_html",
              link: link_to(t("pages.help.debates.feature_link", org: setting["org_name"]),
-                               new_user_registration_path)).html_safe %>
+                               new_user_registration_path))) %>
      </li>
    </ul>
--- a/app/views/pages/help/_polls.html.erb
+++ b/app/views/pages/help/_polls.html.erb
@@ -2,14 +2,14 @@
  <div class="small-12 column">
    <h3 id="polls" data-magellan-target="polls"><%= t("pages.help.polls.title") %></h3>
    <p>
-      <%= t("pages.help.polls.description",
+      <%= sanitize(t("pages.help.polls.description",
-            link: link_to(t("pages.help.polls.link"), polls_path)).html_safe %>
+            link: link_to(t("pages.help.polls.link"), polls_path))) %>
    </p>
    <ul class="features">
      <li>
-        <%= t("pages.help.polls.feature_1",
+        <%= sanitize(t("pages.help.polls.feature_1",
              link: link_to(t("pages.help.polls.feature_1_link", org_name: setting["org_name"]),
-                               new_user_registration_path)).html_safe %>
+                               new_user_registration_path))) %>
      </li>
    </ul>
  </div>
--- a/app/views/pages/help/_processes.html.erb
+++ b/app/views/pages/help/_processes.html.erb
@@ -6,7 +6,7 @@
    <p>
      <% link = link_to(t("pages.help.processes.link"), legislation_processes_path) %>
-      <%= t("pages.help.processes.description", link: link).html_safe %>
+      <%= sanitize(t("pages.help.processes.description", link: link)) %>
    </p>
    <ul class="features">
      <li>
--- a/app/views/pages/help/_proposals.html.erb
+++ b/app/views/pages/help/_proposals.html.erb
@@ -4,8 +4,8 @@
      <%= t("pages.help.proposals.title") %>
    </h3>
    <p>
-      <%= t("pages.help.proposals.description",
+      <%= sanitize(t("pages.help.proposals.description",
-              link: link_to(t("pages.help.proposals.link"), proposals_path)).html_safe %>
+              link: link_to(t("pages.help.proposals.link"), proposals_path))) %>
    </p>
    <figure>
--- a/app/views/polls/_callout.html.erb
+++ b/app/views/polls/_callout.html.erb
@@ -1,9 +1,9 @@
 <% unless can?(:answer, @poll) %>
  <% if current_user.nil? %>
    <div class="callout primary">
-      <%= t("polls.show.cant_answer_not_logged_in",
+      <%= sanitize(t("polls.show.cant_answer_not_logged_in",
            signin: link_to_signin(class: "probe-message"),
-            signup: link_to_signup(class: "probe-message")).html_safe %>
+            signup: link_to_signup(class: "probe-message"))) %>
    </div>
  <% elsif current_user.unverified? %>
    <div class="callout warning">
--- a/app/views/proposal_notifications/new.html.erb
+++ b/app/views/proposal_notifications/new.html.erb
@@ -6,10 +6,10 @@
    <div class="callout primary">
      <p>
-        <%= t("proposal_notifications.new.info_about_receivers_html",
+        <%= sanitize(t("proposal_notifications.new.info_about_receivers_html",
              count: @proposal.users_to_notify.count,
              proposal_page: link_to(t("proposal_notifications.new.proposal_page"),
-                                     proposal_path(@proposal, anchor: "comments"))).html_safe %>
+                                     proposal_path(@proposal, anchor: "comments")))) %>
      </p>
    </div>
  </div>
--- a/app/views/proposals/_featured_votes.html.erb
+++ b/app/views/proposals/_featured_votes.html.erb
@@ -22,7 +22,7 @@
  <% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
    <div class="participation-not-allowed" style="display:none" aria-hidden="false">
      <p>
-        <%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
+        <%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
      </p>
    </div>
  <% elsif !user_signed_in? %>
--- a/app/views/proposals/_votes.html.erb
+++ b/app/views/proposals/_votes.html.erb
@@ -29,7 +29,7 @@
    <div tabindex="0">
      <div class="participation-not-allowed" style="display:none" aria-hidden="false">
        <p>
-          <%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
+          <%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
        </p>
      </div>
    </div>
--- a/app/views/shared/_login_to_comment.html.erb
+++ b/app/views/shared/_login_to_comment.html.erb
@@ -1,3 +1,3 @@
 <div data-alert class="callout primary">
-  <%= t("users.login_to_comment", signin: link_to_signin, signup: link_to_signup).html_safe %>
+  <%= sanitize(t("users.login_to_comment", signin: link_to_signin, signup: link_to_signup)) %>
 </div>
--- a/app/views/shared/_login_to_vote.html.erb
+++ b/app/views/shared/_login_to_vote.html.erb
@@ -1,3 +1,3 @@
 <div class="participation-not-allowed" style="display:none" aria-hidden="false">
-  <%= t("users.login_to_continue", signin: link_to_signin, signup: link_to_signup).html_safe %>
+  <%= sanitize(t("users.login_to_continue", signin: link_to_signin, signup: link_to_signup)) %>
 </div>
--- a/app/views/topics/_informative_text.html.erb
+++ b/app/views/topics/_informative_text.html.erb
@@ -6,7 +6,7 @@
  </div>
 <% else %>
  <div class="callout primary">
-    <%= t("community.show.create_first_community_topic.sub_first_theme",
+    <%= sanitize(t("community.show.create_first_community_topic.sub_first_theme",
-          sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
+          sign_in: link_to_signin, sign_up: link_to_signup)) %>
  </div>
 <% end %>
--- a/app/views/users/registrations/new.html.erb
+++ b/app/views/users/registrations/new.html.erb
@@ -7,8 +7,8 @@
  <%= render "shared/errors", resource: resource %>
  <p>
-    <%= t("devise_views.users.registrations.new.organization_signup",
+    <%= sanitize(t("devise_views.users.registrations.new.organization_signup",
-        signup_link: link_to(t("devise_views.users.registrations.new.organization_signup_link"), new_organization_registration_path)).html_safe %>
+        signup_link: link_to(t("devise_views.users.registrations.new.organization_signup_link"), new_organization_registration_path))) %>
  </p>
  <div class="row">
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -40,6 +40,15 @@ describe "Cross-Site Scripting protection", :js do
    expect(page.text).not_to be_empty
  end
  scenario "link to sign in" do
    I18nContent.create(key: "budgets.investments.index.sidebar.not_logged_in", value: attack_code)
    create(:budget, phase: "accepting")
    visit budgets_path
    expect(page.text).not_to be_empty
  end
  scenario "proposal actions in dashboard" do
    proposal = create(:proposal)
--- a/spec/mailers/dashboard/mailer_spec.rb
+++ b/spec/mailers/dashboard/mailer_spec.rb
@@ -182,8 +182,8 @@ describe Dashboard::Mailer do
                                      "successfully created.")
      expect(email).to have_body_text("Take advantage that your proposal is not public yet and "\
                                      "get ready to contact a lot of people.")
-      expect(email).to have_body_text(I18n.t("mailers.new_actions_notification_on_create.text_2",
+      expect(email).to have_body_text("When you are ready publish your citizen proposal from this")
-                                      link: proposal_dashboard_url(proposal)).html_safe)
+      expect(email).to have_link "link", href: proposal_dashboard_url(proposal)
      expect(email).to have_body_text("We know that creating a proposal with a hook and getting "\
                                      "the necessary support can seem complicated. But dont "\
                                      "worry because we are going to help you!")