Merge branch 'master' into staging

Conflicts: .travis.yml app/controllers/my_profile/tasks_controller.rb app/helpers/application_helper.rb app/views/profile_editor/_pending_tasks.html.erb app/views/tasks/processed.html.erb test/functional/tasks_controller_test.rb

Merge branch 'master' into staging
Conflicts: .travis.yml app/controllers/my_profile/tasks_controller.rb app/helpers/application_helper.rb app/views/profile_editor/_pending_tasks.html.erb app/views/tasks/processed.html.erb test/functional/tasks_controller_test.rb
Victor Costa
2 parents 45a508d7 9fb3ad5a
Showing 292 changed files with 1077 additions and 1016 deletions Show diff stats
.gitlab-ci.yml
.travis.yml
README.rails.md
app/controllers/my_profile/cms_controller.rb
app/controllers/my_profile/profile_editor_controller.rb
app/controllers/my_profile/tasks_controller.rb
app/helpers/action_tracker_helper.rb
app/helpers/application_helper.rb
app/helpers/block_helper.rb
app/helpers/blog_helper.rb
app/helpers/box_organizer_helper.rb
app/helpers/boxes_helper.rb
app/helpers/buttons_helper.rb
app/helpers/catalog_helper.rb
app/helpers/content_viewer_helper.rb
app/helpers/display_helper.rb
app/helpers/events_helper.rb
app/helpers/forms_helper.rb
app/helpers/forum_helper.rb
app/helpers/language_helper.rb
@@ -30,14 +30,47 @@ integration:
   script: bundle exec rake test:integration
   stage: all-tests
-cucumber:
-  script: bundle exec rake cucumber
+cucumber-1:
+  script: SLICE=1/2 bundle exec rake cucumber
+  stage: all-tests
+cucumber-2:
+  script: SLICE=2/2 bundle exec rake cucumber
   stage: all-tests
-selenium:
-  script: bundle exec rake selenium
+selenium-1:
+  script: SLICE=1/6 bundle exec rake selenium
+  stage: all-tests
+selenium-2:
+  script: SLICE=2/6 bundle exec rake selenium
+  stage: all-tests
+selenium-3:
+  script: SLICE=3/6 bundle exec rake selenium
+  stage: all-tests
+selenium-4:
+  script: SLICE=4/6 bundle exec rake selenium
+  stage: all-tests
+selenium-5:
+  script: SLICE=5/6 bundle exec rake selenium
+  stage: all-tests
+selenium-6:
+  script: SLICE=6/6 bundle exec rake selenium
   stage: all-tests
-plugins:
-  script: bundle exec rake test:noosfero_plugins
+# NOOSFERO_BUNDLE_OPTS=install makes migrations fails
+# probably because of rubygems-integration
+plugins-1:
+  script: SLICE=1/5 bundle exec rake test:noosfero_plugins
   stage: all-tests
+plugins-2:
+  script: SLICE=2/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-3:
+  script: SLICE=3/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-4:
+  script: SLICE=4/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-5:
+  script: SLICE=5/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+
@@ -61,11 +61,11 @@ env:
   - SLICE=2/4 TASK=selenium
   - SLICE=3/4 TASK=selenium
   - SLICE=4/4 TASK=selenium
-  - SLICE=1/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=2/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=3/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=4/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=5/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
+  - SLICE=1/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+  - SLICE=2/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+  - SLICE=3/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+  - SLICE=4/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+  - SLICE=5/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
 script:
   - ./script/ci
@@ -99,7 +99,7 @@ Description of contents
   Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.
 * `app/models`
-  Holds models that should be named like post.rb. Most models will descend from `ActiveRecord::Base`.
+  Holds models that should be named like post.rb. Most models will descend from `ApplicationRecord`.
 * `app/views`
   Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.
@@ -108,7 +108,7 @@ class CmsController &lt; MyProfileController
   end
   def new
-    # FIXME this method should share some logic wirh edit !!!
+    # FIXME this method should share some logic with edit !!!
     @success_back_to = params[:success_back_to]
     # user must choose an article type first
@@ -365,7 +365,7 @@ class CmsController &lt; MyProfileController
   def search
     query = params[:q]
     results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
-    render :text => article_list_to_json(results), :content_type => 'application/json'
+    render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
   end
   def search_article_privacy_exceptions
@@ -32,6 +32,7 @@ class ProfileEditorController &lt; MyProfileController
         Image.transaction do
           begin
             @plugins.dispatch(:profile_editor_transaction_extras)
+            # TODO: This is unsafe! Add sanitizer
             @profile_data.update!(params[:profile_data])
             redirect_to :action => 'index', :profile => profile.identifier
           rescue Exception => ex
@@ -162,34 +162,25 @@ class TasksController &lt; MyProfileController
   protected
-  def filter_by_closed_date(filter, tasks)
-    filter[:closed_from] = Date.parse(filter[:closed_from]) unless filter[:closed_from].blank?
-    filter[:closed_until] = Date.parse(filter[:closed_until]) unless filter[:closed_until].blank?
-
-    tasks = tasks.where('tasks.end_date >= ?', filter[:closed_from].beginning_of_day) unless filter[:closed_from].blank?
-    tasks = tasks.where('tasks.end_date <= ?', filter[:closed_until].end_of_day) unless filter[:closed_until].blank?
-    tasks
-  end
+  def filter_tasks(filter, tasks)
+    tasks = tasks.eager_load(:requestor, :closed_by)
+    tasks = tasks.of(filter[:type].presence)
+    tasks = tasks.where(:status => filter[:status]) unless filter[:status].blank?
-  def filter_by_creation_date(filter, tasks)
     filter[:created_from] = Date.parse(filter[:created_from]) unless filter[:created_from].blank?
     filter[:created_until] = Date.parse(filter[:created_until]) unless filter[:created_until].blank?
+    filter[:closed_from] = Date.parse(filter[:closed_from]) unless filter[:closed_from].blank?
+    filter[:closed_until] = Date.parse(filter[:closed_until]) unless filter[:closed_until].blank?
-    tasks = tasks.where('tasks.created_at >= ?', filter[:created_from].beginning_of_day) unless filter[:created_from].blank?
-    tasks = tasks.where('tasks.created_at <= ?', filter[:created_until].end_of_day) unless filter[:created_until].blank?
-    tasks
-  end
+    tasks = tasks.from_creation_date filter[:created_from] unless filter[:created_from].blank?
+    tasks = tasks.until_creation_date filter[:created_until] unless filter[:created_until].blank?
-  def filter_tasks(filter, tasks)
-    tasks = tasks.eager_load(:requestor, :closed_by)
-    tasks = tasks.of(filter[:type].presence)
-    tasks = tasks.where(:status => filter[:status]) unless filter[:status].blank?
-    tasks = filter_by_creation_date(filter, tasks)
-    tasks = filter_by_closed_date(filter, tasks)
+    tasks = tasks.from_closed_date filter[:closed_from] unless filter[:closed_from].blank?
+    tasks = tasks.until_closed_date filter[:closed_until] unless filter[:closed_until].blank?
-    tasks = tasks.like('profiles.name', filter[:requestor]) unless filter[:requestor].blank?
-    tasks = tasks.like('closed_bies_tasks.name', filter[:closed_by]) unless filter[:closed_by].blank?
-    tasks = tasks.like('tasks.data', filter[:text]) unless filter[:text].blank?
+    tasks = tasks.where('profiles.name LIKE ?', filter[:requestor]) unless filter[:requestor].blank?
+    tasks = tasks.where('closed_bies_tasks.name LIKE ?', filter[:closed_by]) unless filter[:closed_by].blank?
+    tasks = tasks.where('tasks.data LIKE ?', "%#{filter[:text]}%") unless filter[:text].blank?
     tasks
   end
@@ -5,22 +5,22 @@ module ActionTrackerHelper
   end
   def new_friendship_description ta
-    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {
+    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
       num: ta.get_friend_name.size,
-      name: ta.collect_group_with_index(:friend_name) do |n,i|
+      name: safe_join(ta.collect_group_with_index(:friend_name) do |n,i|
         link_to image_tag(ta.get_friend_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/person-icon.png")),
                 ta.get_friend_url[i], title: n
-      end.join
+      end)
     }
   end
   def join_community_description ta
-    n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {
+    n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
       num: ta.get_resource_name.size,
       name: ta.collect_group_with_index(:resource_name) do |n,i|
-        link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
+       link = link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
                 ta.get_resource_url[i], title: n
-      end.join
+      end.join.html_safe
     }
   end
@@ -101,7 +101,6 @@ module ApplicationHelper
   #
   # TODO: implement correcly the 'Help' button click
   def help(content = nil, link_name = nil, options = {}, &block)
-
     link_name ||= _('Help')
     @help_message_id ||= 1
@@ -124,7 +123,7 @@ module ApplicationHelper
     button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
     close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
-    text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
+    text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
     unless block.nil?
       concat(text)
@@ -364,8 +363,8 @@ module ApplicationHelper
   def popover_menu(title,menu_title,links,html_options={})
     html_options[:class] = "" unless html_options[:class]
     html_options[:class] << " menu-submenu-trigger"
-    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
+    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false".html_safe
     link_to(content_tag(:span, title), '#', html_options)
   end
@@ -475,9 +474,9 @@ module ApplicationHelper
       map(&:role)
     names = []
     roles.each do |role|
-      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}")
+      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}").html_safe
     end
-    names.join(', ')
+    safe_join(names, ', ')
   end
   def role_color(role, env_id)
@@ -913,7 +912,8 @@ module ApplicationHelper
   end
   def admin_link
-    user.is_admin?(environment) ? link_to('<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
+    admin_icon = '<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>'
+    user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
   end
   def usermenu_logged_in
@@ -922,23 +922,39 @@ module ApplicationHelper
     if count > 0
       pending_tasks_count = link_to("<i class=\"icon-menu-tasks\"></i><span class=\"task-count\">#{count}</span>", user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
     end
+    user_identifier = "<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>"
+    welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
+    welcome_span = _("<span class='welcome'>Welcome,</span> %s") % welcome_link.html_safe
+    ctrl_panel_icon = '<i class="icon-menu-ctrl-panel"></i>'
+    ctrl_panel_section = '<strong>' + ctrl_panel_icon + _('Control panel') + '</strong>'
+    ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
+    logout_icon = '<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>'
+    logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+    join_result = safe_join(
+      [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
+        manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+        pending_tasks_count.html_safe, logout_link.html_safe], "")
+    join_result
+  end
-    (_("<span class='welcome'>Welcome,</span> %s") % link_to("<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
-    render_environment_features(:usermenu) +
-    admin_link +
-    manage_enterprises +
-    manage_communities +
-    link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
-    pending_tasks_count +
-    link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+  def usermenu_notlogged_in
+    login_str = '<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>'
+    ret = _("<span class='login'>%s</span>") % modal_inline_link_to(login_str.html_safe, login_url, '#inlineLoginBox', :id => 'link_login')
+    return ret.html_safe
   end
+  def usermenu_signup
+    signup_str = '<strong>' + _('Sign up') + '</strong>'
+    ret = _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to(signup_str.html_safe, :controller => 'account', :action => 'signup')
+    return ret.html_safe
+
+  end
   def limited_text_area(object_name, method, limit, text_area_id, options = {})
-    content_tag(:div, [
+    content_tag(:div, safe_join([
       text_area(object_name, method, { :id => text_area_id, :onkeyup => "limited_text_area('#{text_area_id}', #{limit})" }.merge(options)),
       content_tag(:p, content_tag(:span, limit) + ' ' + _(' characters left'), :id => text_area_id + '_left'),
       content_tag(:p, _('Limit of characters reached'), :id => text_area_id + '_limit', :style => 'display: none')
-    ].join, :class => 'limited-text-area')
+    ]), :class => 'limited-text-area')
   end
   def expandable_text_area(object_name, method, text_area_id, options = {})
@@ -1034,8 +1050,8 @@ module ApplicationHelper
   end
   def render_tabs(tabs)
-    titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
-    contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
+    titles = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
+    contents = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
     content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
   end
@@ -1053,7 +1069,7 @@ module ApplicationHelper
   def expirable_link_to(expired, content, url, options = {})
     if expired
       options[:class] = (options[:class] || '') + ' disabled'
-      content_tag('a', '&nbsp;'+content_tag('span', content), options)
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', content), options)
     else
       if options[:modal]
         options.delete(:modal)
@@ -1082,29 +1098,18 @@ module ApplicationHelper
   def template_options(kind, field_name)
     templates = environment.send(kind).templates
     return '' if templates.count == 0
-    if templates.count == 1
-      if templates.first.custom_fields == {}
-        return hidden_field_tag("#{field_name}[template_id]", templates.first.id)
-      else
-        custom_fields = ""
-        templates.first.custom_fields.each { |field, value|
-          custom_fields += content_tag('div', content_tag('label', value[:title].capitalize, :class => 'formlabel') +
-                             content_tag('div', text_field_tag( "profile_data[custom_fields][#{field}][title]", ''), :class => 'formfield type-text'), :class => "formfieldline" ) if value[:signup] == 'on'
-        }
-        content_tag('div', custom_fields)
-      end
-    else
-      radios = templates.map do |template|
-        content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template), :onchange => 'show_fields_for_template(this);'))
-      end.join("\n")
-
-      content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
-        content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
-        content_tag('ul', radios, :style => 'list-style: none; padding-left: 20px; margin-top: 0.5em;'),
-        :id => 'template-options',
-        :style => 'margin-top: 1em'
-      )
-    end
+    return hidden_field_tag("#{field_name}[template_id]", templates.first.id) if templates.count == 1
+
+    radios = templates.map do |template|
+      content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template)))
+    end.join("\n").html_safe
+
+    content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
+      content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
+      content_tag('ul', radios, :style => 'list-style: none; padding-left: 20px; margin-top: 0.5em;'),
+      :id => 'template-options',
+      :style => 'margin-top: 1em'
+    )
   end
   def expirable_content_reference(content, action, text, url, options = {})
@@ -1137,7 +1142,7 @@ module ApplicationHelper
     content_tag(:div, :class => 'errorExplanation', :id => 'errorExplanation') do
       content_tag(:h2, _('Errors while saving')) +
       content_tag(:ul) do
-        errors.map { |err| content_tag(:li, err) }.join
+        safe_join(errors.map { |err| content_tag(:li, err) })
       end
     end
   end
@@ -1247,6 +1252,7 @@ module ApplicationHelper
       :href=>"#",
       :title=>_("Exit full screen mode")
     })
+    content.html_safe
   end
 end
@@ -3,13 +3,13 @@ module BlockHelper
   def block_title(title, subtitle=nil)
     block_header = block_heading title
     block_header += block_heading(subtitle, 'h4') if subtitle
-    content_tag 'div', block_header, :class => 'block-header'
+    content_tag('div', block_header, :class => 'block-header').html_safe
   end
   def block_heading(title, heading='h3')
     tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
     tag_class += ' empty' if title.empty?
-    content_tag heading, content_tag('span', h(title)), :class => tag_class
+    content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
   end
   def highlights_block_config_image_fields(block, image={}, row_number=nil)
@@ -41,12 +41,12 @@ module BlogHelper
       css_add << position
       content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
         content_tag 'div', class: position + '-inner blog-post-inner' do
-          display_post(art, conf[:format]).html_safe +
-          '<br style="clear:both"/>'.html_safe
+          display_post(art, conf[:format])  +
+          '<br style="clear:both"/>'
         end
-      end)
+      end).html_safe
     }
-    content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
+    safe_join(content, "\n<hr class='sep-posts'/>\n") + (pagination or '').html_safe
   end
   def display_post(article, format = 'full')
@@ -61,7 +61,8 @@ module BlogHelper
       else
         '<div class="post-pic" style="background-image:url('+img+')"></div>'
       end
-    end.to_s + title + html
+    end.to_s.html_safe +
+    title.html_safe + html
   end
   def display_compact_format(article)
@@ -38,7 +38,7 @@ module BoxOrganizerHelper
     content_tag(:ul,
       images_path.map do |preview|
 	content_tag(:li, image_tag(preview, height: '240', alt: ''))
-      end.join("\n")
+      end.join("\n").html_safe
     )
   end
@@ -44,7 +44,7 @@ module BoxesHelper
   def display_boxes(holder, main_content)
     boxes = holder.boxes.with_position.first(boxes_limit(holder))
-    content = boxes.reverse.map { |item| display_box(item, main_content) }.join("\n")
+    content = safe_join(boxes.reverse.map { |item| display_box(item, main_content) }, "\n")
     content = main_content if (content.blank?)
     content_tag('div', content, :class => 'boxes', :id => 'boxes' )
@@ -54,7 +54,7 @@ module BoxesHelper
     if holder.respond_to?(element)
       content_tag('div', holder.send(element), options)
     else
-      ''
+      ''.html_safe
     end
   end
@@ -70,9 +70,10 @@ module BoxesHelper
   def display_box_content(box, main_content)
     context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
-    box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
+    blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
       display_block item, main_content
-    end.join("\n") + box_decorator.block_target(box)
+    end
+    safe_join(blocks, "\n") + box_decorator.block_target(box)
   end
   def select_blocks box, arr, context
@@ -136,17 +137,18 @@ module BoxesHelper
     result = filter_html(result, block)
-    content_tag('div',
-      box_decorator.block_target(block.box, block) +
-        content_tag('div',
-         content_tag('div',
-           content_tag('div',
-             result + footer_content + box_decorator.block_edit_buttons(block),
-             :class => 'block-inner-2'),
-           :class => 'block-inner-1'),
-       options),
-    :class => 'block-outer') +
-    box_decorator.block_handle(block)
+    join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
+    content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
+
+    content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
+    content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
+    content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
+    c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
+    box_decorator_result = box_decorator.block_handle(block)
+    result_final = safe_join([c, box_decorator_result], "")
+
+
+    return result_final
   end
   def wrap_main_content(content)
@@ -156,17 +158,17 @@ module BoxesHelper
   def extract_block_content(content)
     case content
     when Hash
-      content_tag('iframe', '', :src => url_for(content))
+      content_tag('iframe', ''.html_safe, :src => url_for(content))
     when String
       if content.split("\n").size == 1 and content =~ /^https?:\/\//
-        content_tag('iframe', '', :src => content)
+        content_tag('iframe', ''.html_safe, :src => content)
       else
         content
       end
     when Proc
       self.instance_eval(&content)
     when NilClass
-      ''
+      ''.html_safe
     else
       raise "Unsupported content for block (#{content.class})"
     end
@@ -175,14 +177,14 @@ module BoxesHelper
   module DontMoveBlocks
     # does nothing
     def self.block_target(box, block = nil)
-      ''
+      ''.html_safe
     end
     # does nothing
     def self.block_handle(block)
-      ''
+      ''.html_safe
     end
     def self.block_edit_buttons(block)
-      ''
+      ''.html_safe
     end
     def self.select_blocks box, arr, context
       arr = arr.select{ |block| block.visible? context }
@@ -229,9 +231,9 @@ module BoxesHelper
   # makes the given block draggable so it can be moved away.
   def block_handle(block)
     return "" unless movable?(block)
-    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>"
+    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>".html_safe
     block_draggable("block-#{block.id}",
-                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}")
+                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}".html_safe)
   end
   def block_draggable(element_id, options={})
@@ -302,7 +304,7 @@ module BoxesHelper
       buttons << modal_inline_icon(:embed, _('Embed code'), {}, "#embed-code-box-#{block.id}") << html
     end
-    content_tag('div', buttons.join("\n") + tag('br', :style => 'clear: left'), :class => 'button-bar')
+    content_tag('div', buttons.join("\n").html_safe + tag('br', :style => 'clear: left'), :class => 'button-bar')
   end
   def current_blocks
@@ -15,9 +15,9 @@ module ButtonsHelper
     end
     the_title = html_options[:title] || label
     if html_options[:disabled]
-      content_tag('a', '&nbsp;'+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
     else
-      link_to('&nbsp;'+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
+      link_to('&nbsp;'.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
     end
   end
@@ -19,18 +19,18 @@ module CatalogHelper
     ancestors = category.ancestors.map { |c| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse
     current_level = content_tag('strong', category.name)
     all_items = [start] + ancestors + [current_level]
-    content_tag('div', all_items.join(' &rarr; '), :id => 'breadcrumb')
+    content_tag('div', safe_join(all_items, ' &rarr; '), :id => 'breadcrumb')
   end
   def category_link(category)
     count = profile.products.from_category(category).count
     name = truncate(category.name, :length => 22 - count.to_s.size)
     link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)
-    content_tag('div', "#{link} <span class=\"count\">#{count}</span>") if count > 0
+    content_tag('div', "#{link} <span class=\"count\">#{count}</span>".html_safe) if count > 0
   end
   def category_with_sub_list(category)
-    content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}"
+    content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}".html_safe
   end
   def sub_category_list(category)
@@ -39,7 +39,7 @@ module CatalogHelper
       cat_link = category_link sub_category
       sub_categories << content_tag('li', cat_link) unless cat_link.nil?
     end
-    content_tag('ul', sub_categories.join) if sub_categories.size > 0
+    content_tag('ul', sub_categories.join.html_safe) if sub_categories.size > 0
   end
 end
@@ -7,7 +7,8 @@ module ContentViewerHelper
   def display_number_of_comments(n)
     base_str = "<span class='comment-count hide'>#{n}</span>"
     amount_str = n == 0 ? _('no comments yet') : (n == 1 ? _('One comment') : _('%s comments') % n)
-    base_str + "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str += "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str.html_safe
   end
   def number_of_comments(article)
@@ -19,11 +20,11 @@ module ContentViewerHelper
     title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog? || article.belongs_to_forum?
       unless args[:no_link]
-        title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
+        title = content_tag('h1', link_to(article.name, url_for(article.url)), :class => 'title')
       end
       comments = ''
       unless args[:no_comments] || !article.accept_comments
-        comments = (" - %s") % link_to_comments(article)
+        comments = (" - %s").html_safe % link_to_comments(article)
       end
       date_format = show_with_right_format_date article
       title << content_tag('span',
@@ -53,18 +53,19 @@ module DisplayHelper
   end
   def txt2html(txt)
-    txt.strip.
+    ret = txt.strip.
       gsub( /\s*\n\s*\n\s*/, "\r<p/>\r" ).
       gsub( /\s*\n\s*/, "\n<br/>\n" ).
       gsub( /\r/, "\n" ).
       gsub( /(^|\s)(www\.[^\s]+|https?:\/\/[^\s]+)/ ) do
         pre_char, href = $1, $2
         href = 'http://'+href  if ! href.match /^https?:/
-        content = href.gsub(/^https?:\/\//, '').scan(/.{1,4}/).join('&#x200B;')
+        content = safe_join(href.gsub(/^https?:\/\//, '').scan(/.{1,4}/), '&#x200B;'.html_safe)
         pre_char +
         content_tag(:a, content, :href => href, :target => '_blank',
-                    :rel => 'nofolow', :onclick => "return confirm('%s')" %
+                    :rel => 'nofolow', :onclick => "return confirm('%s')".html_safe %
                       _('Are you sure you want to visit this web site?'))
       end
+      ret.html_safe
   end
 end
 module EventsHelper
   include DatesHelper
+  include ActionView::Helpers::OutputSafetyHelper
+
   def list_events(date, events)
     title = _('Events for %s') % show_date_month(date)
+    user_events = events.select { |item| item.display_to?(user) }
+    events_for_month = safe_join(user_events.map {|item| display_event_in_listing(item)}, '')
     content_tag('h2', title) +
     content_tag('div',
       (events.any? ?
-        content_tag('table', events.select { |item| item.display_to?(user) }.map {|item| display_event_in_listing(item)}.join('')) :
-        content_tag('em', _('No events for this month'), :class => 'no-events')
+        content_tag('table', events_for_month) :
+          content_tag('em', _('No events for this month'), :class => 'no-events')
       ), :id => 'agenda-items'
     )
   end
@@ -101,7 +101,7 @@ module FormsHelper
   def required_fields_message
     content_tag('p', content_tag('span',
-      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory."),
+      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory.").html_safe,
       :class => 'required-field'
     ))
   end
@@ -112,10 +112,11 @@ module FormsHelper
     options_for_select = container.inject([]) do |options, element|
       text, value = option_text_and_value(element)
       selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
-      options << %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      opt = %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      options << opt.html_safe
     end
-    options_for_select.join("\n")
+    safe_join(options_for_select, "\n")
   end
   def balanced_table(items, per_row=3)
@@ -248,8 +249,8 @@ module FormsHelper
   def date_range_field(from_name, to_name, from_value, to_value, datepicker_options = {}, html_options = {})
     from_id = html_options[:from_id] || 'datepicker-from-date'
     to_id = html_options[:to_id] || 'datepicker-to-date'
-    return _('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
-    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))
+    return (_('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
+    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))).html_safe
   end
   def select_folder(label_text, field_id, collection, default_value=nil, html_options = {}, js_options = {})
@@ -35,7 +35,7 @@ module ForumHelper
                              :id => "post-#{art.id}"
                             )
     }
-    content_tag('table', content.join) + (pagination or '')
+    content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
   end
   def last_topic_update(article)
@@ -40,7 +40,7 @@ module LanguageHelper
         else
           link_to(name, params.merge(:lang => code), :rel => 'nofollow')
         end
-      end.join(separator)
+      end.join(separator).html_safe
       content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))
     end
   end
@@ -40,7 +40,8 @@ module LayoutHelper
     output += templete_javascript_ng.to_s
-    output
+    # This output should be safe!
+    output.html_safe
   end
   def noosfero_stylesheets
@@ -64,7 +65,9 @@ module LayoutHelper
       output << stylesheet_link_tag(global_css_pub)
     end
     output << stylesheet_link_tag(theme_stylesheet_path)
-    output.join "\n"
+
+    # This output should be safe!
+    output.join("\n").html_safe
   end
   def noosfero_layout_features
@@ -38,10 +38,11 @@ module ManageProductsHelper
   end
   def options_for_select_categories(categories, selected = nil)
-    categories.sort_by{|cat| cat.name.transliterate}.map do |category|
-      selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
-      "<option value='#{category.id}' title='#{category.name}' #{selected_attribute}>#{category.name + (category.leaf? ? '': ' &raquo;')}</option>"
-    end.join("\n")
+    safe_join(categories.sort_by{ |cat|
+      cat.name.transliterate}.map do |category|
+        selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
+          "<option value='#{category.id}' title='#{category.name}' #{selected_attribute}>#{category.name + (category.leaf? ? '': ' &raquo;')}</option>".html_safe
+    end, "\n")
   end
   def build_selects_for_ancestors(ancestors, current_category)
@@ -76,10 +77,13 @@ module ManageProductsHelper
   def categories_container(categories_selection_html, hierarchy_html = '')
     content_tag 'div',
-      render('categories_autocomplete') +
-      hidden_field_tag('selected_category_id') +
-      content_tag('div', hierarchy_html, :id => 'hierarchy_navigation') +
-      content_tag('div', categories_selection_html, :id => 'categories_container_wrapper'),
+      safe_join(
+        [
+          render('categories_autocomplete'),
+          hidden_field_tag('selected_category_id'),
+          content_tag('div', hierarchy_html, :id => 'hierarchy_navigation'),
+          content_tag('div', categories_selection_html, :id => 'categories_container_wrapper')
+        ], ''),
     :id => 'categories-container'
   end
@@ -129,7 +129,11 @@ module ProfileEditorHelper
     else
       domains = environment.domains
     end
-    labelled_form_field(_('Preferred domain name:'), select(object, :preferred_domain_id, domains.map {|item| [item.name, item.id]}, :prompt => '&lt;' + _('Select domain') + '&gt;'))
+    select_domain_prompt = '&lt;'.html_safe + _('Select domain').html_safe + '&gt;'.html_safe
+    select_field = select(object, :preferred_domain_id, domains.map {
+      |item| [item.name, item.id]}, :prompt => select_domain_prompt.html_safe)
+
+    labelled_form_field(_('Preferred domain name:'), select_field)
   end
   def control_panel(&block)
@@ -131,7 +131,7 @@ module ProfileImageHelper
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
                                    (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?
-                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +
+                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "").html_safe +
     link_to(
       content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
@@ -139,7 +139,7 @@ module ProfileImageHelper
       profile.url,
       :class => 'profile_link url',
       :help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
-      :title => profile.name ),
+      :title => profile.name ).html_safe,
       :class => 'vcard'), :class => 'common-profile-list-block')
   end
 end
@@ -124,10 +124,10 @@ module SearchHelper
   def filters(asset)
     return if !asset
     klass = asset_class(asset)
-    content_tag('div', klass::SEARCH_FILTERS.map do |name, options|
+    content_tag('div', safe_join(klass::SEARCH_FILTERS.map do |name, options|
       default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
       select_filter(name, options, default)
-    end.join("\n"), :id => 'search-filters')
+    end, "\n"), :id => 'search-filters')
   end
   def assets_menu(selected)
@@ -137,11 +137,11 @@ module SearchHelper
     #     menu.
     assets.delete(:events)
     content_tag('ul',
-      assets.map do |asset|
+      safe_join(assets.map do |asset|
         options = {}
         options.merge!(:class => 'selected') if selected.to_s == asset.to_s
         content_tag('li', asset_link(asset), options)
-      end.join("\n"),
+      end, "\n"),
     :id => 'assets-menu')
   end
@@ -58,7 +58,7 @@ module TagsHelper
       if options[:show_count]
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
-        link_to tag + display_count, destination, :style => style
+        link_to (tag + display_count).html_safe, destination, :style => style
       else
         link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
@@ -7,7 +7,7 @@ module TinymceHelper
     output += javascript_include_tag 'tinymce/js/tinymce/jquery.tinymce.min.js'
     output += javascript_include_tag 'tinymce.js'
     output += include_macro_js_files.to_s
-    output
+    output.html_safe
   end
   def tinymce_init_js options = {}
@@ -37,7 +37,7 @@ module TinymceHelper
     #cleanup non tinymce options
     options = options.except :mode
-    "noosfero.tinymce.init(#{options.to_json})"
+    "noosfero.tinymce.init(#{options.to_json})".html_safe
   end
   def menubar mode
 require_dependency 'mailing_job'
-class Mailing < ActiveRecord::Base
+class Mailing < ApplicationRecord
   acts_as_having_settings :field => :data
-class AbuseReport < ActiveRecord::Base
+class AbuseReport < ApplicationRecord
   attr_accessible :content, :reason
-class ActionTrackerNotification < ActiveRecord::Base
+class ActionTrackerNotification < ApplicationRecord
   belongs_to :profile
   belongs_to :action_tracker, :class_name => 'ActionTracker::Record', :foreign_key => 'action_tracker_id'
@@ -0,0 +1,64 @@
+class ApplicationRecord < ActiveRecord::Base
+
+  self.abstract_class = true
+
+  def self.postgresql?
+    self.connection.adapter_name == 'PostgreSQL'
+  end
+
+  # an ActionView instance for rendering views on models
+  def self.action_view
+    @action_view ||= begin
+      view_paths = ::ActionController::Base.view_paths
+      action_view = ::ActionView::Base.new view_paths
+      # for using Noosfero helpers inside render calls
+      action_view.extend ::ApplicationHelper
+      action_view
+    end
+  end
+
+  # default value needed for the above ActionView
+  def to_partial_path
+    self.class.name.underscore
+  end
+
+  alias :meta_cache_key :cache_key
+  def cache_key
+    key = [Noosfero::VERSION, meta_cache_key]
+    key.unshift(ApplicationRecord.connection.schema_search_path) if ApplicationRecord.postgresql?
+    key.join('/')
+  end
+
+  def self.like_search(query, options={})
+    if defined?(self::SEARCHABLE_FIELDS) || options[:fields].present?
+      fields_per_table = {}
+      fields_per_table[table_name] = (options[:fields].present? ? options[:fields] : self::SEARCHABLE_FIELDS.keys.map(&:to_s)) & column_names
+
+      if options[:joins].present?
+        join_asset = options[:joins].to_s.classify.constantize
+        if defined?(join_asset::SEARCHABLE_FIELDS) || options[:fields].present?
+          fields_per_table[join_asset.table_name] = (options[:fields].present? ? options[:fields] : join_asset::SEARCHABLE_FIELDS.keys.map(&:to_s)) & join_asset.column_names
+        end
+      end
+
+      query = query.downcase.strip
+      fields_per_table.delete_if { |table,fields| fields.blank? }
+      conditions = fields_per_table.map do |table,fields|
+        fields.map do |field|
+          "lower(#{table}.#{field}) LIKE '%#{query}%'"
+        end.join(' OR ')
+      end.join(' OR ')
+
+      if options[:joins].present?
+        joins(options[:joins]).where(conditions)
+      else
+        where(conditions)
+      end
+
+    else
+      raise "No searchable fields defined for #{self.name}"
+    end
+  end
+
+end
+
@@ -86,7 +86,7 @@ class ApproveArticle &lt; Task
   def information
     if article
-      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.')}
+      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.').html_safe}
     else
       {:message => _("The article was removed.")}
     end
-class Article < ActiveRecord::Base
+class Article < ApplicationRecord
   include SanitizeHelper
-class ArticleCategorization < ActiveRecord::Base
+class ArticleCategorization < ApplicationRecord
   self.table_name = :articles_categories
   belongs_to :article
-class ArticleFollower < ActiveRecord::Base
+class ArticleFollower < ApplicationRecord
   attr_accessible :article_id, :person_id, :since
   belongs_to :article, :counter_cache => :followers_count
-class Block < ActiveRecord::Base
+class Block < ApplicationRecord
   attr_accessible :title, :subtitle, :display, :limit, :box_id, :posts_per_page,
                   :visualization_format, :language, :display_user,
-class Box < ActiveRecord::Base
+class Box < ApplicationRecord
   acts_as_list scope: -> box { where owner_id: box.owner_id, owner_type: box.owner_type }
-class Category < ActiveRecord::Base
+class Category < ApplicationRecord
   attr_accessible :name, :parent_id, :display_color, :display_in_menu, :image_builder, :environment, :parent
-class Certifier < ActiveRecord::Base
+class Certifier < ApplicationRecord
   attr_accessible :name, :environment
-class ChatMessage < ActiveRecord::Base
+class ChatMessage < ApplicationRecord
+
   attr_accessible :body, :from, :to
   belongs_to :to, :class_name => 'Profile'
-class Comment < ActiveRecord::Base
+class Comment < ApplicationRecord
   SEARCHABLE_FIELDS = {
     :title => {:label => _('Title'), :weight => 10},
-class ContactList < ActiveRecord::Base
+class ContactList < ApplicationRecord
   serialize :list, Array
@@ -60,9 +60,9 @@ class CreateCommunity &lt; Task
   def information
     if description.blank?
-      { :message => _('%{requestor} wants to create community %{subject} with no description.') }
+      { :message => _('%{requestor} wants to create community %{subject} with no description.').html_safe }
     else
-      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>'),
+      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>').html_safe,
         :variables => {:description => description} }
     end
   end
@@ -163,7 +163,7 @@ class CreateEnterprise &lt; Task
   end
   def information
-    {:message => _('%{requestor} wants to create enterprise %{subject}.')}
+    {:message => _('%{requestor} wants to create enterprise %{subject}.').html_safe}
   end
   def task_created_message
-class CustomField < ActiveRecord::Base
+class CustomField < ApplicationRecord
+
   attr_accessible :name, :default_value, :format, :extras, :customized_type, :active, :required, :signup, :environment, :moderation_task
   serialize :customized_type
   serialize :extras
-class CustomFieldValue < ActiveRecord::Base
+class CustomFieldValue < ApplicationRecord
+
   belongs_to :custom_field
   belongs_to :customized, :polymorphic => true
   attr_accessible :value, :public, :customized, :custom_field, :customized_type
@@ -17,7 +17,7 @@ class DocItem
       else
         match
       end
-    end
+    end.html_safe
   end
   private
 require 'noosfero/multi_tenancy'
-class Domain < ActiveRecord::Base
+class Domain < ApplicationRecord
   attr_accessible :name, :owner, :is_default
-class EmailTemplate < ActiveRecord::Base
+class EmailTemplate < ApplicationRecord
   belongs_to :owner, :polymorphic => true
 # A Environment is like a website to be hosted in the platform. It may
 # contain multiple Profile's and can be identified by several different
 # domains.
-class Environment < ActiveRecord::Base
+class Environment < ApplicationRecord
   attr_accessible :name, :is_default, :signup_welcome_text_subject,
                   :signup_welcome_text_body, :terms_of_use,
@@ -731,7 +731,7 @@ class Environment &lt; ActiveRecord::Base
     url << (Noosfero.url_options.key?(:host) ? Noosfero.url_options[:host] : default_hostname)
     url << ':' << Noosfero.url_options[:port].to_s if Noosfero.url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
   def to_s
-class ExternalFeed < ActiveRecord::Base
+class ExternalFeed < ApplicationRecord
   belongs_to :blog
   validates_presence_of :blog_id
-class FavoriteEnterprisePerson < ActiveRecord::Base
+class FavoriteEnterprisePerson < ApplicationRecord
   attr_accessible :person, :enterprise
-class Friendship < ActiveRecord::Base
+class Friendship < ApplicationRecord
   track_actions :new_friendship, :after_create, :keep_params => ["friend.name", "friend.url", "friend.profile_custom_icon"], :custom_user => :person
   extend CacheCounterHelper
-class Image < ActiveRecord::Base
+class Image < ApplicationRecord
   attr_accessible :uploaded_data, :label, :remove_image
   attr_accessor :remove_image
-class Input < ActiveRecord::Base
+class Input < ApplicationRecord
   attr_accessible :product, :product_id, :product_category, :product_category_id,
     :amount_used, :unit_id, :price_per_unit, :relevant_to_price, :is_from_solidarity_economy
@@ -13,7 +13,7 @@ class InviteFriend &lt; Invitation
   end
   def information
-    {:message => _('%{requestor} wants to be your friend.')}
+    {:message => _('%{requestor} wants to be your friend.').html_safe}
   end
   def accept_details
@@ -25,7 +25,7 @@ class InviteFriend &lt; Invitation
   end
   def target_notification_description
-    _('%{requestor} wants to be your friend.') % {:requestor => requestor.name}
+    (_('%{requestor} wants to be your friend.') % {:requestor => requestor.name}).html_safe
   end
   def permission
@@ -25,7 +25,7 @@ class InviteMember &lt; Invitation
   end
   def information
-    {:message => _('%{requestor} invited you to join %{linked_subject}.')}
+    {:message => _('%{requestor} invited you to join %{linked_subject}.').html_safe}
   end
   def url
@@ -37,7 +37,7 @@ class InviteMember &lt; Invitation
   end
   def target_notification_description
-    _('%{requestor} invited you to join %{community}.') % {:requestor => requestor.name, :community => community.name}
+    (_('%{requestor} invited you to join %{community}.') % {:requestor => requestor.name, :community => community.name}).html_safe
   end
   def target_notification_message
-class License < ActiveRecord::Base
+class License < ApplicationRecord
   attr_accessible :name, :url
-class MailingSent < ActiveRecord::Base
+class MailingSent < ApplicationRecord
+
   attr_accessible :person
   belongs_to :mailing
   belongs_to :person
-class NationalRegion < ActiveRecord::Base
+class NationalRegion < ApplicationRecord
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 1},
-class NationalRegionType < ActiveRecord::Base
+class NationalRegionType < ApplicationRecord
   COUNTRY = 1
   STATE   = 2
   CITY    = 3
@@ -341,7 +341,7 @@ class Person &lt; Profile
     environment ||= self.environment
     role_assignments.includes([:role, :resource]).select { |ra| ra.resource == environment }.map{|ra|ra.role.permissions}.any? do |ps|
       ps.any? do |p|
-        ActiveRecord::Base::PERMISSIONS['Environment'].keys.include?(p)
+        ApplicationRecord::PERMISSIONS['Environment'].keys.include?(p)
       end
     end
   end
-class PriceDetail < ActiveRecord::Base
+class PriceDetail < ApplicationRecord
   attr_accessible :price, :production_cost_id
-class Product < ActiveRecord::Base
+class Product < ApplicationRecord
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
-class ProductQualifier < ActiveRecord::Base
+class ProductQualifier < ApplicationRecord
   attr_accessible :qualifier, :product, :certifier
-class ProductionCost < ActiveRecord::Base
+class ProductionCost < ApplicationRecord
   attr_accessible :name, :owner
 # A Profile is the representation and web-presence of an individual or an
 # organization. Every Profile is attached to its Environment of origin,
 # which by default is the one returned by Environment:default.
-class Profile < ActiveRecord::Base
+class Profile < ApplicationRecord
   attr_accessible :name, :identifier, :public_profile, :nickname, :custom_footer, :custom_header, :address, :zip_code, :contact_phone, :image_builder, :description, :closed, :template_id, :environment, :lat, :lng, :is_template, :fields_privacy, :preferred_domain_id, :category_ids, :country, :city, :state, :national_region_code, :email, :contact_email, :redirect_l10n, :notification_time,
     :redirection_after_login, :custom_url_redirection,
@@ -675,7 +675,7 @@ class Profile &lt; ActiveRecord::Base
     url << url_options[:host]
     url << ':' << url_options[:port].to_s if url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
 private :generate_url, :url_options
-class ProfileActivity < ActiveRecord::Base
+class ProfileActivity < ApplicationRecord
   self.record_timestamps = false
-class ProfileCategorization < ActiveRecord::Base
+class ProfileCategorization < ApplicationRecord
   self.table_name = :categories_profiles
   belongs_to :profile
   belongs_to :category
-class ProfileSuggestion < ActiveRecord::Base
+class ProfileSuggestion < ApplicationRecord
+
   belongs_to :person
   belongs_to :suggestion, :class_name => 'Profile', :foreign_key => :suggestion_id
-class Qualifier < ActiveRecord::Base
+class Qualifier < ApplicationRecord
   attr_accessible :name, :environment
-class QualifierCertifier < ActiveRecord::Base
+class QualifierCertifier < ApplicationRecord
   belongs_to :qualifier
   belongs_to :certifier
-class ReportedImage < ActiveRecord::Base
+class ReportedImage < ApplicationRecord
   belongs_to :abuse_report
   validates_presence_of :abuse_report
-class Scrap < ActiveRecord::Base
+class Scrap < ApplicationRecord
   include SanitizeHelper
-class SearchTerm < ActiveRecord::Base
+class SearchTerm < ApplicationRecord
   validates_presence_of :term, :context
   validates_uniqueness_of :term, :scope => [:context_id, :context_type, :asset]
@@ -25,7 +25,7 @@ class SearchTerm &lt; ActiveRecord::Base
   # Therefore the score is 97. Them we sum every score to get the total score
   # for a search term.
   def self.occurrences_scores
-    Hash[*ActiveRecord::Base.connection.execute(
+    Hash[*ApplicationRecord.connection.execute(
       joins(:occurrences).
       select("search_terms.id, sum(#{SearchTermOccurrence::EXPIRATION_TIME.to_i} - extract(epoch from (now() - search_term_occurrences.created_at))) as value").
       where("search_term_occurrences.created_at > ?", DateTime.now - SearchTermOccurrence::EXPIRATION_TIME).
-class SearchTermOccurrence < ActiveRecord::Base
+class SearchTermOccurrence < ApplicationRecord
   belongs_to :search_term
   validates_presence_of :search_term
@@ -65,7 +65,7 @@ class SuggestArticle &lt; Task
   def information
     variables = requestor.blank? ? {:requestor => sender} : {}
-    { :message => _('%{requestor} suggested the publication of the article: %{subject}.'),
+    { :message => _('%{requestor} suggested the publication of the article: %{subject}.').html_safe,
       :variables => variables }
   end
@@ -78,7 +78,7 @@ class SuggestArticle &lt; Task
   end
   def target_notification_description
-    _('%{requestor} suggested the publication of the article: %{article}.') %
+    _('%{requestor} suggested the publication of the article: %{article}.').html_safe %
     {:requestor => sender, :article => article_name}
   end
-class SuggestionConnection < ActiveRecord::Base
+class SuggestionConnection < ApplicationRecord
+
   attr_accessible :suggestion, :suggestion_id, :connection_type, :connection_id
   belongs_to :suggestion, :class_name => 'ProfileSuggestion', :foreign_key => 'suggestion_id'
@@ -9,7 +9,7 @@
 # This class has a +data+ field of type <tt>text</tt>, where you can store any
 # type of data (as serialized Ruby objects) you need for your subclass (which
 # will need to declare <ttserialize</tt> itself).
-class Task < ActiveRecord::Base
+class Task < ApplicationRecord
   acts_as_having_settings :field => :data
   acts_as_ordered_taggable
@@ -347,6 +347,21 @@ class Task &lt; ActiveRecord::Base
     where [environment_condition, profile_condition].compact.join(' OR ')
   }
+  scope :from_closed_date, -> closed_from {
+    where('tasks.end_date >= ?', closed_from.beginning_of_day) unless closed_from.blank?
+  }
+
+  scope :until_closed_date, -> closed_until {
+    where('tasks.end_date <= ?', closed_until.end_of_day) unless closed_until.blank?
+  }
+
+  scope :from_creation_date, -> created_from {
+    where('tasks.created_at >= ?', created_from.beginning_of_day) unless created_from.blank?
+  }
+
+  scope :until_creation_date, -> created_until {
+    where('tasks.created_at <= ?', created_until.end_of_day) unless created_until.blank?
+  }
   def self.pending_types_for(profile)
     Task.to(profile).pending.select('distinct type').map { |t| [t.class.name, t.title] }
-class Thumbnail < ActiveRecord::Base
+class Thumbnail < ApplicationRecord
   attr_accessible :uploaded_data
   # mass assigned by attachment_fu
-class Unit < ActiveRecord::Base
+class Unit < ApplicationRecord
   acts_as_list scope: -> unit { where environment_id: unit.environment_id }
@@ -4,7 +4,7 @@ require &#39;securerandom&#39;
 # User models the system users, and is generated by the acts_as_authenticated
 # Rails generator.
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   attr_accessible :login, :email, :password, :password_confirmation, :activated_at
-class ValidationInfo < ActiveRecord::Base
+class ValidationInfo < ApplicationRecord
   attr_accessible :validation_methodology, :restrictions, :organization
@@ -107,7 +107,7 @@
     <%= render :partial => 'profile_editor/person_form', :locals => {:f => f} %>
   <% end %>
-  <%= @plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }, "") %>
   <% unless @terms_of_use.blank? %>
     <div id='terms-of-use-box' class='formfieldline'>
@@ -14,7 +14,7 @@
 <div id="enterprise-activation-create-user-form" style="display: none">
   <h3><%= _('Personal signup form') %></h3>
   <%= render :partial => 'signup_form', :locals => { :hidden_atention => true } %>
-  <p><%= message = _('<b>Warning</b>: this form is for your personal information, not of your enterprise. So you will have a personal account that can manage your enterprise.') %></p>
+  <p><%= message = _('<b>Warning</b>: this form is for your personal information, not of your enterprise. So you will have a personal account that can manage your enterprise.').html_safe %></p>
 </div>
 <div id="enterprise-activation-login-form" style="display: none">
 <h1><%= _("Invalid change password code") %></h1>
 <p>
-<%= _('The code you are using for password change is not valid. Please try to request password change using the <a href="%s">"I forgot my password"</a> functionality.') % url_for(:action => 'forgot_password') %>
+<%= _('The code you are using for password change is not valid. Please try to request password change using the <a href="%s">"I forgot my password"</a> functionality.') % url_for(:action => 'forgot_password').html_safe %>
 </p>
@@ -20,7 +20,7 @@
        </label>
      </div>
-     <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+     <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }, "") %>
      <% button_bar do %>
        <%= submit_button( 'login', _('Log in') )%>
@@ -15,7 +15,7 @@
       <%= f.password_field :password %>
-      <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+      <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }, "") %>
       <% button_bar do %>
         <%= submit_button( 'login', _('Log in') )%>
@@ -5,5 +5,5 @@
 </p>
 <p>
-<%= _("You can <a href='%s'>login</a> now.") % url_for(:action => 'login') %>
+<%= _("You can <a href='%s'>login</a> now.").html_safe % url_for(:action => 'login') %>
 </p>
@@ -6,7 +6,7 @@
       <%= content_tag('li', content_tag('strong', "#{year.to_i} (#{count})")) %>
       <ul class='<%= year.to_i %>-archive'>
         <% block.blog.total_number_of_posts(:by_month, year).each do |month, count| %>
-          <%= content_tag('li', link_to("#{month_name(month.to_i)} (#{count})", block.blog.url.merge(year: year.to_i, month: month.to_i))) %>
+          <%= content_tag('li', link_to("#{month_name(month.to_i)} (#{count})", url_for(block.blog.url.merge(year: year.to_i, month: month.to_i)).html_safe)) %>
         <% end %>
       </ul>
     <% end %>
@@ -8,7 +8,7 @@
       <%= block.sanitize_link(link_to(link[:name], block.expand_address(link[:address]),
                 :target => link[:target],
                 :class => (link[:icon] ? "icon-#{link[:icon]}" : ''),
-                :title => link[:title])) %>
+                :title => link[:title])).html_safe %>
     </li>
   <% end %>
 </ul>
@@ -3,7 +3,7 @@
     <h2><%= _('Logged in as %s') % user.identifier %></h2>
     <ul>
       <li><%= _('User since %s/%s') % [user.created_at.month, user.created_at.year] %></li>
-      <li><%= link_to _('Homepage'), user.public_profile_url %></li>
+      <li><%= link_to _('Homepage'), url_for(user.public_profile_url) %></li>
     </ul>
     <div class="user-actions">
       <%= button(:'menu-logout',  _('Logout'), :controller => 'account', :action => 'logout') %>
@@ -10,8 +10,8 @@
   <% if list.empty? %>
     <div class='common-profile-list-block-none'><%= _('None') %></div>
   <% else %>
-    <ul><%= list %></ul>
+    <ul><%= list.html_safe %></ul>
   <% end %>
 </div>
- 
+
 <br style='clear:both'/>
@@ -9,7 +9,8 @@
     first_text = articles[articles.find_index{|a| a.kind_of? TextArticle}||-1]
     selected = @block.article || first_text
   %>
-  <%= select_tag(
+  <%= 
+    select_tag(
     'block[article_id]',
     options_for_select_with_title(articles.map {|item| [item.path, item.id]}, selected.id),
     :onchange => 'this.changedTo(this.value)'
@@ -35,7 +35,7 @@
           <% else %>
             <div class="no-image"><%= _('No image') %></div>
           <% end %>
-          <div class="catalog-item-extras"><%= extra_content.join("\n") %></div>
+          <div class="catalog-item-extras"><%= safe_join(extra_content, "\n") %></div>
         </li>
         <li class="product-link"><%= link_to_product product %></li>
@@ -35,7 +35,7 @@
 <div id="article-formitem">
   <%= labelled_form_field( _('Address'),
         content_tag('code',
-          url_for(@article.url).gsub(/#{@article.slug}$/, '') +
+          url_for(@article.url).gsub(/#{@article.slug}$/, '').html_safe +
           text_field(:article, :slug, :onchange => "warn_value_change()", :size => 25)
         ) +
         content_tag('div',
@@ -14,7 +14,7 @@
     <p><%= _('Numbered lists:') %></p>
     <pre># <%= _('first item') %>
 # <%= _('second item') %></pre>
-    <p><%= h(_('For code, use HTML tags <pre> and <code>, and indent the code inside them:')) %>
+    <p><%= h(_('For code, use HTML tags <pre> and <code>, and indent the code inside them:').html_safe) %>
     </p>
     <pre>
 &lt;pre&gt;
@@ -23,7 +23,7 @@
 &lt;/code&gt;
 &lt;/pre&gt;
 </pre>
-    <p><%= _('See also a more complete <a href="%s">Textile Reference</a>.') % 'http://redcloth.org/hobix.com/textile/' %></p>
+    <p><%= _('See also a more complete <a href="%s">Textile Reference</a>.').html_safe % 'http://redcloth.org/hobix.com/textile/' %></p>
   </div>
 </div>
@@ -39,7 +39,7 @@
   <script>
     jQuery('#article_tag_list').inputosaurus({
-      autoCompleteSource: <%= "'/myprofile/#{profile.identifier}/cms/search_tags'," %>
+      autoCompleteSource: <%= "'/myprofile/#{profile.identifier}/cms/search_tags',".html_safe %>
       activateFinalResult : true
     })
   </script>
@@ -5,7 +5,7 @@
 <ul class="article-types">
   <% for type in @article_types %>
     <% action = type[:class].name == 'UploadedFile' ? {:action => 'upload_files'} : {:action => 'new', :type => type[:class].name} %>
-    <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to))) do %>
+    <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to)).html_safe) do %>
       <li class="<%= icon_for_new_article(type[:class]) %>" onmouseover="javascript: jQuery(this).addClass('mouseover')" onmouseout="jQuery(this).removeClass('mouseover')">
         <strong><%= type[:short_description] %></strong>
         <div class='description'><%= type[:description] %></div>
@@ -17,11 +17,11 @@
 <h3><%= _("Select the files you want to upload (max size %s):") % UploadedFile.max_size.to_humanreadable %></h3>
 <h4><%= _('Documents, Images, Videos, Audio') %></h4>
-<h5><%= _('Uploading files to %s') % content_tag('code', @target) %></h5>
+<h5><%= (_('Uploading files to %s') % content_tag('code', @target)).html_safe%></h5>
 <%= form_for('uploaded_file', :url => { :action => 'upload_files' }, :html => {:multipart => true}) do |f| %>
-  <%= @plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }, "") %>
   <%= render :partial => 'upload_file_form', :locals => { :size => '45'} %>
	@@ -30,14 +30,47 @@ integration:		@@ -30,14 +30,47 @@ integration:
30	script: bundle exec rake test:integration	30	script: bundle exec rake test:integration
31	stage: all-tests	31	stage: all-tests
32		32
33	-cucumber:
34	- script: bundle exec rake cucumber	33	+cucumber-1:
		34	+ script: SLICE=1/2 bundle exec rake cucumber
		35	+ stage: all-tests
		36	+cucumber-2:
		37	+ script: SLICE=2/2 bundle exec rake cucumber
35	stage: all-tests	38	stage: all-tests
36		39
37	-selenium:
38	- script: bundle exec rake selenium	40	+selenium-1:
		41	+ script: SLICE=1/6 bundle exec rake selenium
		42	+ stage: all-tests
		43	+selenium-2:
		44	+ script: SLICE=2/6 bundle exec rake selenium
		45	+ stage: all-tests
		46	+selenium-3:
		47	+ script: SLICE=3/6 bundle exec rake selenium
		48	+ stage: all-tests
		49	+selenium-4:
		50	+ script: SLICE=4/6 bundle exec rake selenium
		51	+ stage: all-tests
		52	+selenium-5:
		53	+ script: SLICE=5/6 bundle exec rake selenium
		54	+ stage: all-tests
		55	+selenium-6:
		56	+ script: SLICE=6/6 bundle exec rake selenium
39	stage: all-tests	57	stage: all-tests
40		58
41	-plugins:
42	- script: bundle exec rake test:noosfero_plugins	59	+# NOOSFERO_BUNDLE_OPTS=install makes migrations fails
		60	+# probably because of rubygems-integration
		61	+plugins-1:
		62	+ script: SLICE=1/5 bundle exec rake test:noosfero_plugins
43	stage: all-tests	63	stage: all-tests
		64	+plugins-2:
		65	+ script: SLICE=2/5 bundle exec rake test:noosfero_plugins
		66	+ stage: all-tests
		67	+plugins-3:
		68	+ script: SLICE=3/5 bundle exec rake test:noosfero_plugins
		69	+ stage: all-tests
		70	+plugins-4:
		71	+ script: SLICE=4/5 bundle exec rake test:noosfero_plugins
		72	+ stage: all-tests
		73	+plugins-5:
		74	+ script: SLICE=5/5 bundle exec rake test:noosfero_plugins
		75	+ stage: all-tests
		76	+
	@@ -61,11 +61,11 @@ env:		@@ -61,11 +61,11 @@ env:
61	- SLICE=2/4 TASK=selenium	61	- SLICE=2/4 TASK=selenium
62	- SLICE=3/4 TASK=selenium	62	- SLICE=3/4 TASK=selenium
63	- SLICE=4/4 TASK=selenium	63	- SLICE=4/4 TASK=selenium
64	- - SLICE=1/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
65	- - SLICE=2/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
66	- - SLICE=3/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
67	- - SLICE=4/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
68	- - SLICE=5/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install	64	+ - SLICE=1/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
		65	+ - SLICE=2/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
		66	+ - SLICE=3/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
		67	+ - SLICE=4/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
		68	+ - SLICE=5/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
69		69
70	script:	70	script:
71	- ./script/ci	71	- ./script/ci
	@@ -99,7 +99,7 @@ Description of contents		@@ -99,7 +99,7 @@ Description of contents
99	Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.	99	Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.
100		100
101	* `app/models`	101	* `app/models`
102	- Holds models that should be named like post.rb. Most models will descend from `ActiveRecord::Base`.	102	+ Holds models that should be named like post.rb. Most models will descend from `ApplicationRecord`.
103		103
104	* `app/views`	104	* `app/views`
105	Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.	105	Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.
	@@ -108,7 +108,7 @@ class CmsController < MyProfileController		@@ -108,7 +108,7 @@ class CmsController < MyProfileController
108	end	108	end
109		109
110	def new	110	def new
111	- # FIXME this method should share some logic wirh edit !!!	111	+ # FIXME this method should share some logic with edit !!!
112		112
113	@success_back_to = params[:success_back_to]	113	@success_back_to = params[:success_back_to]
114	# user must choose an article type first	114	# user must choose an article type first
	@@ -365,7 +365,7 @@ class CmsController < MyProfileController		@@ -365,7 +365,7 @@ class CmsController < MyProfileController
365	def search	365	def search
366	query = params[:q]	366	query = params[:q]
367	results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]	367	results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
368	- render :text => article_list_to_json(results), :content_type => 'application/json'	368	+ render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
369	end	369	end
370		370
371	def search_article_privacy_exceptions	371	def search_article_privacy_exceptions
	@@ -5,22 +5,22 @@ module ActionTrackerHelper		@@ -5,22 +5,22 @@ module ActionTrackerHelper
5	end	5	end
6		6
7	def new_friendship_description ta	7	def new_friendship_description ta
8	- n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {	8	+ n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
9	num: ta.get_friend_name.size,	9	num: ta.get_friend_name.size,
10	- name: ta.collect_group_with_index(:friend_name) do \|n,i\|	10	+ name: safe_join(ta.collect_group_with_index(:friend_name) do \|n,i\|
11	link_to image_tag(ta.get_friend_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/person-icon.png")),	11	link_to image_tag(ta.get_friend_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/person-icon.png")),
12	ta.get_friend_url[i], title: n	12	ta.get_friend_url[i], title: n
13	- end.join	13	+ end)
14	}	14	}
15	end	15	end
16		16
17	def join_community_description ta	17	def join_community_description ta
18	- n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {	18	+ n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
19	num: ta.get_resource_name.size,	19	num: ta.get_resource_name.size,
20	name: ta.collect_group_with_index(:resource_name) do \|n,i\|	20	name: ta.collect_group_with_index(:resource_name) do \|n,i\|
21	- link_to image_tag(ta.get_resource_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/community-icon.png")),	21	+ link = link_to image_tag(ta.get_resource_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/community-icon.png")),
22	ta.get_resource_url[i], title: n	22	ta.get_resource_url[i], title: n
23	- end.join	23	+ end.join.html_safe
24	}	24	}
25	end	25	end
26		26
	@@ -3,13 +3,13 @@ module BlockHelper		@@ -3,13 +3,13 @@ module BlockHelper
3	def block_title(title, subtitle=nil)	3	def block_title(title, subtitle=nil)
4	block_header = block_heading title	4	block_header = block_heading title
5	block_header += block_heading(subtitle, 'h4') if subtitle	5	block_header += block_heading(subtitle, 'h4') if subtitle
6	- content_tag 'div', block_header, :class => 'block-header'	6	+ content_tag('div', block_header, :class => 'block-header').html_safe
7	end	7	end
8		8
9	def block_heading(title, heading='h3')	9	def block_heading(title, heading='h3')
10	tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')	10	tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
11	tag_class += ' empty' if title.empty?	11	tag_class += ' empty' if title.empty?
12	- content_tag heading, content_tag('span', h(title)), :class => tag_class	12	+ content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
13	end	13	end
14		14
15	def highlights_block_config_image_fields(block, image={}, row_number=nil)	15	def highlights_block_config_image_fields(block, image={}, row_number=nil)
	@@ -38,7 +38,7 @@ module BoxOrganizerHelper		@@ -38,7 +38,7 @@ module BoxOrganizerHelper
38	content_tag(:ul,	38	content_tag(:ul,
39	images_path.map do \|preview\|	39	images_path.map do \|preview\|
40	content_tag(:li, image_tag(preview, height: '240', alt: ''))	40	content_tag(:li, image_tag(preview, height: '240', alt: ''))
41	- end.join("\n")	41	+ end.join("\n").html_safe
42	)	42	)
43	end	43	end
44		44
	@@ -15,9 +15,9 @@ module ButtonsHelper		@@ -15,9 +15,9 @@ module ButtonsHelper
15	end	15	end
16	the_title = html_options[:title] \|\| label	16	the_title = html_options[:title] \|\| label
17	if html_options[:disabled]	17	if html_options[:disabled]
18	- content_tag('a', ' '+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))	18	+ content_tag('a', ' '.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
19	else	19	else
20	- link_to(' '+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))	20	+ link_to(' '.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
21	end	21	end
22	end	22	end
23		23
	@@ -19,18 +19,18 @@ module CatalogHelper		@@ -19,18 +19,18 @@ module CatalogHelper
19	ancestors = category.ancestors.map { \|c\| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse	19	ancestors = category.ancestors.map { \|c\| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse
20	current_level = content_tag('strong', category.name)	20	current_level = content_tag('strong', category.name)
21	all_items = [start] + ancestors + [current_level]	21	all_items = [start] + ancestors + [current_level]
22	- content_tag('div', all_items.join(' → '), :id => 'breadcrumb')	22	+ content_tag('div', safe_join(all_items, ' → '), :id => 'breadcrumb')
23	end	23	end
24		24
25	def category_link(category)	25	def category_link(category)
26	count = profile.products.from_category(category).count	26	count = profile.products.from_category(category).count
27	name = truncate(category.name, :length => 22 - count.to_s.size)	27	name = truncate(category.name, :length => 22 - count.to_s.size)
28	link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)	28	link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)
29	- content_tag('div', "#{link} <span class=\"count\">#{count}</span>") if count > 0	29	+ content_tag('div', "#{link} <span class=\"count\">#{count}</span>".html_safe) if count > 0
30	end	30	end
31		31
32	def category_with_sub_list(category)	32	def category_with_sub_list(category)
33	- content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}"	33	+ content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}".html_safe
34	end	34	end
35		35
36	def sub_category_list(category)	36	def sub_category_list(category)
	@@ -39,7 +39,7 @@ module CatalogHelper		@@ -39,7 +39,7 @@ module CatalogHelper
39	cat_link = category_link sub_category	39	cat_link = category_link sub_category
40	sub_categories << content_tag('li', cat_link) unless cat_link.nil?	40	sub_categories << content_tag('li', cat_link) unless cat_link.nil?
41	end	41	end
42	- content_tag('ul', sub_categories.join) if sub_categories.size > 0	42	+ content_tag('ul', sub_categories.join.html_safe) if sub_categories.size > 0
43	end	43	end
44		44
45	end	45	end
	@@ -35,7 +35,7 @@ module ForumHelper		@@ -35,7 +35,7 @@ module ForumHelper
35	:id => "post-#{art.id}"	35	:id => "post-#{art.id}"
36	)	36	)
37	}	37	}
38	- content_tag('table', content.join) + (pagination or '')	38	+ content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
39	end	39	end
40		40
41	def last_topic_update(article)	41	def last_topic_update(article)