decidim-core 0.26.5 → 0.26.7

data/app/scrubbers/decidim/admin_input_scrubber.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Decidim
+  # Use this class as a scrubber to sanitize admin user input. The default
+  # scrubbed provided by Rails does not allow `iframe`s, and we are using
+  # them to embed videos, so we need to provide a whole new scrubber.
+  #
+  # Example:
+  #
+  #    sanitize(@page.body, scrubber: Decidim::AdminInputScrubber.new)
+  #
+  # Lists of default tags and attributes are extracted from
+  # https://stackoverflow.com/a/35073814/2110884.
+  class AdminInputScrubber < UserInputScrubber
+    private
+
+    DECIDIM_ALLOWED_TAGS = %w(img video audio source comment iframe).freeze
+
+    def custom_allowed_attributes
+      super + %w(frameborder allowfullscreen) - %w(onerror)
+    end
+
+    def custom_allowed_tags
+      super + DECIDIM_ALLOWED_TAGS
+    end
+  end
+end

data/app/scrubbers/decidim/user_input_scrubber.rb

@@ -1,9 +1,7 @@
 # frozen_string_literal: true
 
 module Decidim
-  # Use this class as a scrubber to sanitize user input. The default
-  # scrubbed provided by Rails does not allow `iframe`s, and we're using
-  # them to embed videos, so we need to provide a whole new scrubber.
+  # Use this class as a scrubber to sanitize participant user input.
   #
   # Example:
   #
@@ -20,12 +18,41 @@ module Decidim
 
     private
 
+    RESTRICTED_TAGS = %w(
+      area
+      article
+      aside
+      audio
+      button
+      canvas
+      fieldset
+      figcaption
+      figure
+      font
+      footer
+      form
+      header
+      img
+      input
+      label
+      legend
+      main
+      map
+      menu
+      optgroup
+      option
+      output
+      select
+      textarea
+      video
+    ).freeze
+
     def custom_allowed_attributes
-      Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES + %w(frameborder allowfullscreen) - %w(onerror)
+      Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES
     end
 
     def custom_allowed_tags
-      Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2 + %w(iframe)
+      Loofah::HTML5::SafeList::ACCEPTABLE_ELEMENTS - RESTRICTED_TAGS
     end
   end
 end

data/app/services/decidim/traceability.rb

@@ -117,6 +117,7 @@ module Decidim
       return unless user.is_a?(Decidim::User)
       # If the record is not valid, it may not yet have an ID causing an
       # exception when trying to save the log record.
+      return if resource.nil?
       return unless resource.valid?
 
       Decidim::ActionLogger.log(

data/app/views/decidim/links/_invalid_url_modal.html.erb

@@ -0,0 +1,17 @@
+<%= decidim_modal id: "external-domain-warning" do %>
+  <div data-dialog-container>
+    <%= icon "external-link-line" %>
+    <h2 id="dialog-title-external-domain-warning" tabindex="-1" data-dialog-title><%= t("decidim.links.warning.title") %></h2>
+    <div>
+
+      <code class="mt-5 block break-all text-alert">
+        <%= flash[:alert] %>
+      </code>
+    </div>
+  </div>
+  <div data-dialog-actions>
+    <button class="button button__lg button__transparent-secondary" data-dialog-close="external-domain-warning">
+      <%= t("decidim.links.warning.cancel") %>
+    </button>
+  </div>
+<% end %>

data/app/views/decidim/links/_modal.html.erb

@@ -13,7 +13,7 @@
       </div>
     </div>
     <div class="row buttons">
-      <%= link_to t("decidim.links.warning.proceed"), params[:external_url], target: "_blank", data: { close: "" }, class: "button primary button--nomargin" %>
+      <%= link_to t("decidim.links.warning.proceed"), external_url.to_s, target: "_blank", data: { close: "" }, class: "button primary button--nomargin" %>
       <button class="button clear" data-close>
         <%= t("decidim.links.warning.cancel") %>
       </button>

data/app/views/decidim/links/invalid_url.js.erb

@@ -0,0 +1,24 @@
+(function() {
+  const create = (selector) => {
+    const element = document.createElement("div")
+    element.id = selector
+    document.body.append(element)
+    return element
+  }
+
+  const selector = "external-domain-warning"
+  const selectorContainer = `${selector}-container`
+
+  // if the container does not exist in the DOM, it creates a new one, otherwise, replace the content
+  const externalDomainWarning = document.getElementById(selectorContainer) || create(selectorContainer)
+
+  externalDomainWarning.innerHTML = ''
+  externalDomainWarning.innerHTML = '<%= j(render partial: "invalid_url_modal").strip.html_safe %>'
+
+  new window.Decidim.Dialogs(`#${selector}`, {
+    closingSelector: `[data-dialog-close="${selector}"]`,
+    backdropSelector: `[data-dialog="${selector}"]`,
+    labelledby: `dialog-title-${selector}`,
+    describedby: `dialog-desc-${selector}`
+  }).open()
+})()

data/app/views/decidim/links/new.html.erb

@@ -12,7 +12,7 @@
           </div>
           <div class="row">
             <div class="columns large-12 text-center">
-              <%= link_to t("decidim.links.warning.proceed"), params[:external_url], class: "button expanded primary" %>
+              <%= link_to t("decidim.links.warning.proceed"), external_url.to_s, class: "button expanded primary" %>
             </div>
           </div>
         </div>

data/app/views/decidim/messaging/conversations/_conversation.html.erb

@@ -33,11 +33,7 @@
         <span class="text-small">
           <%= t("last_message", scope: "decidim.messaging.conversations.index") %>:
           <strong>
-            <% if I18n.locale != :en %>
-              <%= t("ago", scope: "decidim.messaging.conversations.index") %> <%= time_ago_in_words(Time.parse(conversation.last_message.created_at.to_s)) %>
-            <% else %>
-              <%= time_ago_in_words(Time.parse(conversation.last_message.created_at.to_s)) %> <%= t("ago", scope: "decidim.messaging.conversations.index") %>
-            <% end %>
+            <%= t("decidim.user_conversations.index.time_ago", time: time_ago_in_words(Time.zone.parse(conversation.last_message.created_at.to_s))) %>
           </strong>
         </span>
       </div>

data/app/views/decidim/pages/_standalone.html.erb

@@ -10,7 +10,7 @@
 
     <div class="columns small-12">
       <div class="card">
-        <div class="card__content"><%= decidim_sanitize translated_attribute page.content %></div>
+        <div class="card__content"><%= decidim_sanitize_editor_admin translated_attribute page.content %></div>
       </div>
     </div>
 

data/app/views/decidim/pages/_tabbed.html.erb

@@ -32,7 +32,7 @@
                 <h2>
                   <%= translated_attribute page.title %>
                 </h2>
-                <%= decidim_sanitize_editor translated_attribute page.content %>
+                <%= decidim_sanitize_editor_admin translated_attribute page.content %>
               </div>
             </div>
           </div>