From a20c0f078d8a13eb471346f581d0a13bfefff076 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Sun, 6 Oct 2019 04:22:48 +0200
Subject: [PATCH] Use `safe_join` instead of `<%==`

Using `<%==` is the same as using `raw`, and here we only want to mark
as safe a `<br>` tag.
---
 app/helpers/proposals_dashboard_helper.rb | 2 +-
 app/views/dashboard/_resource.html.erb    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/helpers/proposals_dashboard_helper.rb b/app/helpers/proposals_dashboard_helper.rb
index 1151a7d0d..4416c9fd8 100644
--- a/app/helpers/proposals_dashboard_helper.rb
+++ b/app/helpers/proposals_dashboard_helper.rb
@@ -65,7 +65,7 @@ module ProposalsDashboardHelper
                 supports: number_with_delimiter(resource.required_supports,
                 delimiter: ".")) if resource.required_supports > 0
 
-    label.join(" #{t("dashboard.resource.and")}<br>")
+    safe_join label, h(" #{t("dashboard.resource.and")})") + tag(:br)
   end
 
   def daily_selected_class
diff --git a/app/views/dashboard/_resource.html.erb b/app/views/dashboard/_resource.html.erb
index c71f236d3..bef2c194f 100644
--- a/app/views/dashboard/_resource.html.erb
+++ b/app/views/dashboard/_resource.html.erb
@@ -23,7 +23,7 @@
                     class: "button expanded" %>
       <% else %>
         <strong>
-          <%== resource_availability_label(resource) %>
+          <%= resource_availability_label(resource) %>
         </strong>
       <% end %>
     </div>