928312e218
Sometimes we're interpolating a link inside a translation, and marking the whole translations as HTML safe. However, some translations added by admins to the database or through crowdin are not entirely under our control. Although AFAIK crowdin checks for potential cross-site scripting attacks, it's a good practice to sanitize parts of a string potentially out of our control before marking the string as HTML safe.
45 lines
1.5 KiB
Plaintext
45 lines
1.5 KiB
Plaintext
<div class="supports text-center">
|
|
<div class="in-favor">
|
|
<% if voted_for?(@featured_proposals_votes, proposal) %>
|
|
<div class="supported">
|
|
<%= t("proposals.proposal.already_supported") %>
|
|
</div>
|
|
<% else %>
|
|
<%= link_to vote_featured_proposal_path(proposal, value: "yes"),
|
|
class: "button button-support small expanded",
|
|
title: t("proposals.proposal.support_title"), method: "post", remote: true do %>
|
|
<%= t("proposals.proposal.support") %>
|
|
<% end %>
|
|
<% end %>
|
|
</div>
|
|
|
|
<% if user_signed_in? && current_user.organization? %>
|
|
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
|
|
<p>
|
|
<%= t("votes.organizations") %>
|
|
</p>
|
|
</div>
|
|
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
|
|
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
|
|
<p>
|
|
<%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
|
|
</p>
|
|
</div>
|
|
<% elsif !user_signed_in? %>
|
|
<%= render "shared/login_to_vote" %>
|
|
<% end %>
|
|
|
|
<% if voted_for?(@featured_proposals_votes, proposal) %>
|
|
<% if setting["twitter_handle"] %>
|
|
<div class="share-supported">
|
|
<%= render "shared/social_share",
|
|
title: proposal.title,
|
|
url: proposal_url(proposal),
|
|
description: proposal.summary,
|
|
mobile: proposal.title
|
|
%>
|
|
</div>
|
|
<% end %>
|
|
<% end %>
|
|
</div>
|