Sanitizing descriptions before saving a record has a few drawbacks:
1. It makes the application rely on data being safe in the database. If
somehow dangerous data enters the database, the application will be
vulnerable to XSS attacks
2. It makes the code complicated
3. It isn't backwards compatible; if we decide to disallow a certain
HTML tag in the future, we'd need to sanitize existing data.
On the other hand, sanitizing the data in the view means we don't need
to triple-check dangerous HTML has already been stripped when we see the
method `auto_link_already_sanitized_html`, since now every time we use
it we sanitize the text in the same line we call this method.
We could also sanitize the data twice, both when saving to the database
and when displaying values in the view. However, doing so wouldn't make
the application safer, since we sanitize text introduced through
textarea fields but we don't sanitize text introduced through input
fields.
Finally, we could also overwrite the `description` method so it
sanitizes the text. But we're already introducing Globalize which
overwrites that method, and overwriting it again is a bit too confusing
in my humble opinion. It can also lead to hard-to-debug behaviour.
From now on these static pages:
`/privacy'
`/conditions'
`/accesibility'
`/help/faq'
`/welcome'
have been moved to the DB and can be modified easily by any
administrator in `/admin/site_customization/pages'
Using `find_each` ignores the scope order we set in `Widget::Card.body`,
and since we don't expect to have thousands of cards, using batches
isn't necessary.
This way we remove the "WARN Scoped order and limit are ignored, it's
forced to be batch order and batch size" message we were getting in the
specs.
Banners were not been shown in certain pages; now
they are.
Spec to check if the banner is been shown correctly
added. Before it was in admins specs, now it has it's
own spec out of admins folder.
Regarding the feature ‘Carousel size’:
There is no need to test styling in specs, it changes too often
There are nice ways to test it, but it seems a little too much right
Review later on
Note there is some funkiness going on with class loadings
Had to create a `feed` and `widget_feed` table even though in this
first version the Widget::Feed includes only uses ActiveModel instead
of ActiveRecord, otherwise some specs failed
We’ll figure it out and clean up 😌
changed functions on verification.rb, the first thing they do is
return true whene skip_user_verification is active.
changed show_welcome_screen? on user.rb, now its shows the welcome
page even with te option active.
changed welcome.html.erb, now if the user see this view and the
option is activated, all 4 checks are green, not only 2.
