consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
928312e2187e2369503a13056969fe5bff8e1483
nairobi/app/views/comments/_comment_tree.html.erb
Javi Martín 928312e218 Use sanitize in translations with links 
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.

However, some translations added by admins to the database or through
crowdin are not entirely under our control.

Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
2019-10-08 18:46:21 +02:00

54 lines
2.4 KiB
Plaintext
Raw Blame History

<% commentable = comment_tree.commentable %>
<% valuation = local_assigns.fetch(:valuation, false) %>
<% allow_comments = local_assigns.fetch(:allow_comments, true) %>
<% admin_layout = local_assigns.fetch(:admin_layout, false) %>
<% cache [locale_and_user_status, comment_tree.order, commentable_cache_key(commentable), comment_tree.comments, comment_tree.comment_authors, commentable.comments_count, comment_flags, admin_layout] do %>
<section class="expanded comments">
<div class="row">
<div id="comments" class="small-12 column">
<% if display_comments_count %>
<h2>
<%= comment_tree_title_text(commentable) %>
<span class="js-comments-count">(<%= commentable.comments_count %>)</span>
</h2>
<% end %>
<%= render "shared/wide_order_selector", i18n_namespace: "comments" %>
<% if user_signed_in? %>
<% if comments_closed_for_commentable?(commentable) %>
<br>
<div data-alert class="callout primary">
<%= comments_closed_text(commentable) %>
</div>
<% elsif require_verified_resident_for_commentable?(commentable, current_user) %>
<br>
<div data-alert class="callout primary">
<%= sanitize(t("comments.verified_only", verify_account: link_to_verify_account)) %>
</div>
<% elsif allow_comments %>
<%= render "comments/form", { commentable: commentable,
parent_id: nil,
toggeable: false,
valuation: valuation } %>
<% end %>
<% else %>
<br>
<%= render "shared/login_to_comment" %>
<% end %>
<% comment_tree.root_comments.each do |comment| %>
<%= render "comments/comment", { comment: comment,
comment_flags: comment_flags,
valuation: valuation,
allow_votes: !valuation,
allow_actions: !valuation,
allow_comments: allow_comments,
admin_layout: admin_layout } %>
<% end %>
<%= paginate comment_tree.root_comments %>
</div>
</div>
</section>
<% end %>
Reference in New Issue View Git Blame Copy Permalink