Merge branch 'new_security' into 'master'

Fixing html_safe for noosfero This MR treats of Noosfero's safe strings (with html_safe), because at the moment Noosfero treats all strings as safe, which allows users to inject malicious code. See merge request !859

Merge branch 'new_security' into 'master'
Fixing html_safe for noosfero This MR treats of Noosfero's safe strings (with html_safe), because at the moment Noosfero treats all strings as safe, which allows users to inject malicious code. See merge request !859
Braulio Bhavamitra
2 parents 05c93013 9172bf4b
Showing 115 changed files with 351 additions and 301 deletions Show diff stats
app/controllers/my_profile/cms_controller.rb
app/controllers/my_profile/profile_editor_controller.rb
app/helpers/action_tracker_helper.rb
app/helpers/application_helper.rb
app/helpers/block_helper.rb
app/helpers/blog_helper.rb
app/helpers/box_organizer_helper.rb
app/helpers/boxes_helper.rb
app/helpers/buttons_helper.rb
app/helpers/catalog_helper.rb
app/helpers/content_viewer_helper.rb
app/helpers/display_helper.rb
app/helpers/events_helper.rb
app/helpers/forms_helper.rb
app/helpers/forum_helper.rb
app/helpers/language_helper.rb
app/helpers/layout_helper.rb
app/helpers/manage_products_helper.rb
app/helpers/profile_editor_helper.rb
app/helpers/profile_image_helper.rb
@@ -108,7 +108,7 @@ class CmsController &lt; MyProfileController
   end
  
   def new
-    # FIXME this method should share some logic wirh edit !!!
+    # FIXME this method should share some logic with edit !!!
  
     @success_back_to = params[:success_back_to]
     # user must choose an article type first
@@ -365,7 +365,7 @@ class CmsController &lt; MyProfileController
   def search
     query = params[:q]
     results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
-    render :text => article_list_to_json(results), :content_type => 'application/json'
+    render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
   end
  
   def search_article_privacy_exceptions
@@ -29,6 +29,7 @@ class ProfileEditorController &lt; MyProfileController
         Image.transaction do
           begin
             @plugins.dispatch(:profile_editor_transaction_extras)
+            # TODO: This is unsafe! Add sanitizer
             @profile_data.update!(params[:profile_data])
             redirect_to :action => 'index', :profile => profile.identifier
           rescue Exception => ex
@@ -5,22 +5,22 @@ module ActionTrackerHelper
   end
  
   def new_friendship_description ta
-    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {
+    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
       num: ta.get_friend_name.size,
-      name: ta.collect_group_with_index(:friend_name) do |n,i|
+      name: safe_join(ta.collect_group_with_index(:friend_name) do |n,i|
         link_to image_tag(ta.get_friend_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/person-icon.png")),
                 ta.get_friend_url[i], title: n
-      end.join
+      end)
     }
   end
  
   def join_community_description ta
-    n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {
+    n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
       num: ta.get_resource_name.size,
       name: ta.collect_group_with_index(:resource_name) do |n,i|
-        link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
+       link = link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
                 ta.get_resource_url[i], title: n
-      end.join
+      end.join.html_safe
     }
   end
  
@@ -99,7 +99,6 @@ module ApplicationHelper
   #
   # TODO: implement correcly the 'Help' button click
   def help(content = nil, link_name = nil, options = {}, &block)
-
     link_name ||= _('Help')
  
     @help_message_id ||= 1
@@ -122,7 +121,7 @@ module ApplicationHelper
     button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
     close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
  
-    text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
+    text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
  
     unless block.nil?
       concat(text)
@@ -362,8 +361,8 @@ module ApplicationHelper
   def popover_menu(title,menu_title,links,html_options={})
     html_options[:class] = "" unless html_options[:class]
     html_options[:class] << " menu-submenu-trigger"
-    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
  
+    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false".html_safe
     link_to(content_tag(:span, title), '#', html_options)
   end
  
@@ -473,9 +472,9 @@ module ApplicationHelper
       map(&:role)
     names = []
     roles.each do |role|
-      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}")
+      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}").html_safe
     end
-    names.join(', ')
+    safe_join(names, ', ')
   end
  
   def role_color(role, env_id)
@@ -911,7 +910,8 @@ module ApplicationHelper
   end
  
   def admin_link
-    user.is_admin?(environment) ? link_to('<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
+    admin_icon = '<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>'
+    user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
   end
  
   def usermenu_logged_in
@@ -920,23 +920,39 @@ module ApplicationHelper
     if count > 0
       pending_tasks_count = link_to(count.to_s, user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
     end
+    user_identifier = "<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>"
+    welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
+    welcome_span = _("<span class='welcome'>Welcome,</span> %s") % welcome_link.html_safe
+    ctrl_panel_icon = '<i class="icon-menu-ctrl-panel"></i>'
+    ctrl_panel_section = '<strong>' + ctrl_panel_icon + _('Control panel') + '</strong>'
+    ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
+    logout_icon = '<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>'
+    logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+    join_result = safe_join(
+      [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
+        manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+        pending_tasks_count.html_safe, logout_link.html_safe], "")
+    join_result
+  end
  
-    (_("<span class='welcome'>Welcome,</span> %s") % link_to("<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
-    render_environment_features(:usermenu) +
-    admin_link +
-    manage_enterprises +
-    manage_communities +
-    link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
-    pending_tasks_count +
-    link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+  def usermenu_notlogged_in
+    login_str = '<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>'
+    ret = _("<span class='login'>%s</span>") % modal_inline_link_to(login_str.html_safe, login_url, '#inlineLoginBox', :id => 'link_login')
+    return ret.html_safe
   end
  
+  def usermenu_signup
+    signup_str = '<strong>' + _('Sign up') + '</strong>'
+    ret = _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to(signup_str.html_safe, :controller => 'account', :action => 'signup')
+    return ret.html_safe
+
+  end
   def limited_text_area(object_name, method, limit, text_area_id, options = {})
-    content_tag(:div, [
+    content_tag(:div, safe_join([
       text_area(object_name, method, { :id => text_area_id, :onkeyup => "limited_text_area('#{text_area_id}', #{limit})" }.merge(options)),
       content_tag(:p, content_tag(:span, limit) + ' ' + _(' characters left'), :id => text_area_id + '_left'),
       content_tag(:p, _('Limit of characters reached'), :id => text_area_id + '_limit', :style => 'display: none')
-    ].join, :class => 'limited-text-area')
+    ]), :class => 'limited-text-area')
   end
  
   def expandable_text_area(object_name, method, text_area_id, options = {})
@@ -1032,8 +1048,8 @@ module ApplicationHelper
   end
  
   def render_tabs(tabs)
-    titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
-    contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
+    titles = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
+    contents = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
  
     content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
   end
@@ -1051,7 +1067,7 @@ module ApplicationHelper
   def expirable_link_to(expired, content, url, options = {})
     if expired
       options[:class] = (options[:class] || '') + ' disabled'
-      content_tag('a', '&nbsp;'+content_tag('span', content), options)
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', content), options)
     else
       if options[:modal]
         options.delete(:modal)
@@ -1084,7 +1100,7 @@ module ApplicationHelper
  
     radios = templates.map do |template|
       content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template)))
-    end.join("\n")
+    end.join("\n").html_safe
  
     content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
       content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
@@ -1124,7 +1140,7 @@ module ApplicationHelper
     content_tag(:div, :class => 'errorExplanation', :id => 'errorExplanation') do
       content_tag(:h2, _('Errors while saving')) +
       content_tag(:ul) do
-        errors.map { |err| content_tag(:li, err) }.join
+        safe_join(errors.map { |err| content_tag(:li, err) })
       end
     end
   end
@@ -1234,6 +1250,7 @@ module ApplicationHelper
       :href=>"#",
       :title=>_("Exit full screen mode")
     })
+    content.html_safe
   end
  
 end
@@ -3,13 +3,13 @@ module BlockHelper
   def block_title(title, subtitle=nil)
     block_header = block_heading title
     block_header += block_heading(subtitle, 'h4') if subtitle
-    content_tag 'div', block_header, :class => 'block-header'
+    content_tag('div', block_header, :class => 'block-header').html_safe
   end
  
   def block_heading(title, heading='h3')
     tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
     tag_class += ' empty' if title.empty?
-    content_tag heading, content_tag('span', h(title)), :class => tag_class
+    content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
   end
  
   def highlights_block_config_image_fields(block, image={}, row_number=nil)
@@ -41,12 +41,12 @@ module BlogHelper
       css_add << position
       content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
         content_tag 'div', class: position + '-inner blog-post-inner' do
-          display_post(art, conf[:format]).html_safe +
-          '<br style="clear:both"/>'.html_safe
+          display_post(art, conf[:format])  +
+          '<br style="clear:both"/>'
         end
-      end)
+      end).html_safe
     }
-    content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
+    safe_join(content, "\n<hr class='sep-posts'/>\n") + (pagination or '').html_safe
   end
  
   def display_post(article, format = 'full')
@@ -61,7 +61,8 @@ module BlogHelper
       else
         '<div class="post-pic" style="background-image:url('+img+')"></div>'
       end
-    end.to_s + title + html
+    end.to_s.html_safe +
+    title.html_safe + html
   end
  
   def display_compact_format(article)
@@ -38,7 +38,7 @@ module BoxOrganizerHelper
     content_tag(:ul,
       images_path.map do |preview|
 	content_tag(:li, image_tag(preview, height: '240', alt: ''))
-      end.join("\n")
+      end.join("\n").html_safe
     )
   end
  
@@ -44,7 +44,7 @@ module BoxesHelper
  
   def display_boxes(holder, main_content)
     boxes = holder.boxes.with_position.first(boxes_limit(holder))
-    content = boxes.reverse.map { |item| display_box(item, main_content) }.join("\n")
+    content = safe_join(boxes.reverse.map { |item| display_box(item, main_content) }, "\n")
     content = main_content if (content.blank?)
  
     content_tag('div', content, :class => 'boxes', :id => 'boxes' )
@@ -54,7 +54,7 @@ module BoxesHelper
     if holder.respond_to?(element)
       content_tag('div', holder.send(element), options)
     else
-      ''
+      ''.html_safe
     end
   end
  
@@ -70,9 +70,10 @@ module BoxesHelper
  
   def display_box_content(box, main_content)
     context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
-    box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
+    blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
       display_block item, main_content
-    end.join("\n") + box_decorator.block_target(box)
+    end
+    safe_join(blocks, "\n") + box_decorator.block_target(box)
   end
  
   def select_blocks box, arr, context
@@ -136,17 +137,18 @@ module BoxesHelper
  
     result = filter_html(result, block)
  
-    content_tag('div',
-      box_decorator.block_target(block.box, block) +
-        content_tag('div',
-         content_tag('div',
-           content_tag('div',
-             result + footer_content + box_decorator.block_edit_buttons(block),
-             :class => 'block-inner-2'),
-           :class => 'block-inner-1'),
-       options),
-    :class => 'block-outer') +
-    box_decorator.block_handle(block)
+    join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
+    content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
+
+    content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
+    content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
+    content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
+    c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
+    box_decorator_result = box_decorator.block_handle(block)
+    result_final = safe_join([c, box_decorator_result], "")
+
+
+    return result_final
   end
  
   def wrap_main_content(content)
@@ -156,17 +158,17 @@ module BoxesHelper
   def extract_block_content(content)
     case content
     when Hash
-      content_tag('iframe', '', :src => url_for(content))
+      content_tag('iframe', ''.html_safe, :src => url_for(content))
     when String
       if content.split("\n").size == 1 and content =~ /^https?:\/\//
-        content_tag('iframe', '', :src => content)
+        content_tag('iframe', ''.html_safe, :src => content)
       else
         content
       end
     when Proc
       self.instance_eval(&content)
     when NilClass
-      ''
+      ''.html_safe
     else
       raise "Unsupported content for block (#{content.class})"
     end
@@ -175,14 +177,14 @@ module BoxesHelper
   module DontMoveBlocks
     # does nothing
     def self.block_target(box, block = nil)
-      ''
+      ''.html_safe
     end
     # does nothing
     def self.block_handle(block)
-      ''
+      ''.html_safe
     end
     def self.block_edit_buttons(block)
-      ''
+      ''.html_safe
     end
     def self.select_blocks box, arr, context
       arr = arr.select{ |block| block.visible? context }
@@ -229,9 +231,9 @@ module BoxesHelper
   # makes the given block draggable so it can be moved away.
   def block_handle(block)
     return "" unless movable?(block)
-    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>"
+    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>".html_safe
     block_draggable("block-#{block.id}",
-                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}")
+                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}".html_safe)
   end
  
   def block_draggable(element_id, options={})
@@ -302,7 +304,7 @@ module BoxesHelper
       buttons << modal_inline_icon(:embed, _('Embed code'), {}, "#embed-code-box-#{block.id}") << html
     end
  
-    content_tag('div', buttons.join("\n") + tag('br', :style => 'clear: left'), :class => 'button-bar')
+    content_tag('div', buttons.join("\n").html_safe + tag('br', :style => 'clear: left'), :class => 'button-bar')
   end
  
   def current_blocks
@@ -15,9 +15,9 @@ module ButtonsHelper
     end
     the_title = html_options[:title] || label
     if html_options[:disabled]
-      content_tag('a', '&nbsp;'+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
     else
-      link_to('&nbsp;'+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
+      link_to('&nbsp;'.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
     end
   end
  
@@ -19,18 +19,18 @@ module CatalogHelper
     ancestors = category.ancestors.map { |c| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse
     current_level = content_tag('strong', category.name)
     all_items = [start] + ancestors + [current_level]
-    content_tag('div', all_items.join(' &rarr; '), :id => 'breadcrumb')
+    content_tag('div', safe_join(all_items, ' &rarr; '), :id => 'breadcrumb')
   end
  
   def category_link(category)
     count = profile.products.from_category(category).count
     name = truncate(category.name, :length => 22 - count.to_s.size)
     link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)
-    content_tag('div', "#{link} <span class=\"count\">#{count}</span>") if count > 0
+    content_tag('div', "#{link} <span class=\"count\">#{count}</span>".html_safe) if count > 0
   end
  
   def category_with_sub_list(category)
-    content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}"
+    content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}".html_safe
   end
  
   def sub_category_list(category)
@@ -39,7 +39,7 @@ module CatalogHelper
       cat_link = category_link sub_category
       sub_categories << content_tag('li', cat_link) unless cat_link.nil?
     end
-    content_tag('ul', sub_categories.join) if sub_categories.size > 0
+    content_tag('ul', sub_categories.join.html_safe) if sub_categories.size > 0
   end
  
 end
@@ -7,7 +7,8 @@ module ContentViewerHelper
   def display_number_of_comments(n)
     base_str = "<span class='comment-count hide'>#{n}</span>"
     amount_str = n == 0 ? _('no comments yet') : (n == 1 ? _('One comment') : _('%s comments') % n)
-    base_str + "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str += "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str.html_safe
   end
  
   def number_of_comments(article)
@@ -19,11 +20,11 @@ module ContentViewerHelper
     title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog? || article.belongs_to_forum?
       unless args[:no_link]
-        title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
+        title = content_tag('h1', link_to(article.name, url_for(article.url)), :class => 'title')
       end
       comments = ''
       unless args[:no_comments] || !article.accept_comments
-        comments = (" - %s") % link_to_comments(article)
+        comments = (" - %s").html_safe % link_to_comments(article)
       end
       date_format = show_with_right_format_date article
       title << content_tag('span',
@@ -53,18 +53,19 @@ module DisplayHelper
   end
  
   def txt2html(txt)
-    txt.strip.
+    ret = txt.strip.
       gsub( /\s*\n\s*\n\s*/, "\r<p/>\r" ).
       gsub( /\s*\n\s*/, "\n<br/>\n" ).
       gsub( /\r/, "\n" ).
       gsub( /(^|\s)(www\.[^\s]+|https?:\/\/[^\s]+)/ ) do
         pre_char, href = $1, $2
         href = 'http://'+href  if ! href.match /^https?:/
-        content = href.gsub(/^https?:\/\//, '').scan(/.{1,4}/).join('&#x200B;')
+        content = safe_join(href.gsub(/^https?:\/\//, '').scan(/.{1,4}/), '&#x200B;'.html_safe)
         pre_char +
         content_tag(:a, content, :href => href, :target => '_blank',
-                    :rel => 'nofolow', :onclick => "return confirm('%s')" %
+                    :rel => 'nofolow', :onclick => "return confirm('%s')".html_safe %
                       _('Are you sure you want to visit this web site?'))
       end
+      ret.html_safe
   end
 end
 module EventsHelper
  
   include DatesHelper
+  include ActionView::Helpers::OutputSafetyHelper
+
   def list_events(date, events)
     title = _('Events for %s') % show_date_month(date)
+    user_events = events.select { |item| item.display_to?(user) }
+    events_for_month = safe_join(user_events.map {|item| display_event_in_listing(item)}, '')
     content_tag('h2', title) +
     content_tag('div',
       (events.any? ?
-        content_tag('table', events.select { |item| item.display_to?(user) }.map {|item| display_event_in_listing(item)}.join('')) :
-        content_tag('em', _('No events for this month'), :class => 'no-events')
+        content_tag('table', events_for_month) :
+          content_tag('em', _('No events for this month'), :class => 'no-events')
       ), :id => 'agenda-items'
     )
   end
@@ -101,7 +101,7 @@ module FormsHelper
  
   def required_fields_message
     content_tag('p', content_tag('span',
-      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory."),
+      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory.").html_safe,
       :class => 'required-field'
     ))
   end
@@ -112,10 +112,11 @@ module FormsHelper
     options_for_select = container.inject([]) do |options, element|
       text, value = option_text_and_value(element)
       selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
-      options << %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      opt = %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      options << opt.html_safe
     end
  
-    options_for_select.join("\n")
+    safe_join(options_for_select, "\n")
   end
  
   def balanced_table(items, per_row=3)
@@ -248,8 +249,8 @@ module FormsHelper
   def date_range_field(from_name, to_name, from_value, to_value, datepicker_options = {}, html_options = {})
     from_id = html_options[:from_id] || 'datepicker-from-date'
     to_id = html_options[:to_id] || 'datepicker-to-date'
-    return _('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
-    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))
+    return (_('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
+    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))).html_safe
   end
  
   def select_folder(label_text, field_id, collection, default_value=nil, html_options = {}, js_options = {})
@@ -35,7 +35,7 @@ module ForumHelper
                              :id => "post-#{art.id}"
                             )
     }
-    content_tag('table', content.join) + (pagination or '')
+    content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
   end
  
   def last_topic_update(article)
@@ -40,7 +40,7 @@ module LanguageHelper
         else
           link_to(name, params.merge(:lang => code), :rel => 'nofollow')
         end
-      end.join(separator)
+      end.join(separator).html_safe
       content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))
     end
   end
@@ -40,7 +40,8 @@ module LayoutHelper
  
     output += templete_javascript_ng.to_s
  
-    output
+    # This output should be safe!
+    output.html_safe
   end
  
   def noosfero_stylesheets
@@ -64,7 +65,9 @@ module LayoutHelper
       output << stylesheet_link_tag(global_css_pub)
     end
     output << stylesheet_link_tag(theme_stylesheet_path)
-    output.join "\n"
+
+    # This output should be safe!
+    output.join("\n").html_safe
   end
  
   def noosfero_layout_features
@@ -38,10 +38,11 @@ module ManageProductsHelper
   end
  
   def options_for_select_categories(categories, selected = nil)
-    categories.sort_by{|cat| cat.name.transliterate}.map do |category|
-      selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
-      "<option value='#{category.id}' title='#{category.name}' #{selected_attribute}>#{category.name + (category.leaf? ? '': ' &raquo;')}</option>"
-    end.join("\n")
+    safe_join(categories.sort_by{ |cat|
+      cat.name.transliterate}.map do |category|
+        selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
+          "<option value='#{category.id}' title='#{category.name}' #{selected_attribute}>#{category.name + (category.leaf? ? '': ' &raquo;')}</option>".html_safe
+    end, "\n")
   end
  
   def build_selects_for_ancestors(ancestors, current_category)
@@ -76,10 +77,13 @@ module ManageProductsHelper
  
   def categories_container(categories_selection_html, hierarchy_html = '')
     content_tag 'div',
-      render('categories_autocomplete') +
-      hidden_field_tag('selected_category_id') +
-      content_tag('div', hierarchy_html, :id => 'hierarchy_navigation') +
-      content_tag('div', categories_selection_html, :id => 'categories_container_wrapper'),
+      safe_join(
+        [
+          render('categories_autocomplete'),
+          hidden_field_tag('selected_category_id'),
+          content_tag('div', hierarchy_html, :id => 'hierarchy_navigation'),
+          content_tag('div', categories_selection_html, :id => 'categories_container_wrapper')
+        ], ''),
     :id => 'categories-container'
   end
  
@@ -129,7 +129,11 @@ module ProfileEditorHelper
     else
       domains = environment.domains
     end
-    labelled_form_field(_('Preferred domain name:'), select(object, :preferred_domain_id, domains.map {|item| [item.name, item.id]}, :prompt => '&lt;' + _('Select domain') + '&gt;'))
+    select_domain_prompt = '&lt;'.html_safe + _('Select domain').html_safe + '&gt;'.html_safe
+    select_field = select(object, :preferred_domain_id, domains.map {
+      |item| [item.name, item.id]}, :prompt => select_domain_prompt.html_safe)
+
+    labelled_form_field(_('Preferred domain name:'), select_field)
   end
  
   def control_panel(&block)
@@ -131,7 +131,7 @@ module ProfileImageHelper
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
                                    (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?
-                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +
+                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "").html_safe +
     link_to(
       content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
@@ -139,7 +139,7 @@ module ProfileImageHelper
       profile.url,
       :class => 'profile_link url',
       :help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
-      :title => profile.name ),
+      :title => profile.name ).html_safe,
       :class => 'vcard'), :class => 'common-profile-list-block')
   end
 end
@@ -124,10 +124,10 @@ module SearchHelper
   def filters(asset)
     return if !asset
     klass = asset_class(asset)
-    content_tag('div', klass::SEARCH_FILTERS.map do |name, options|
+    content_tag('div', safe_join(klass::SEARCH_FILTERS.map do |name, options|
       default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
       select_filter(name, options, default)
-    end.join("\n"), :id => 'search-filters')
+    end, "\n"), :id => 'search-filters')
   end
  
   def assets_menu(selected)
@@ -137,11 +137,11 @@ module SearchHelper
     #     menu.
     assets.delete(:events)
     content_tag('ul',
-      assets.map do |asset|
+      safe_join(assets.map do |asset|
         options = {}
         options.merge!(:class => 'selected') if selected.to_s == asset.to_s
         content_tag('li', asset_link(asset), options)
-      end.join("\n"),
+      end, "\n"),
     :id => 'assets-menu')
   end
  
@@ -58,7 +58,7 @@ module TagsHelper
  
       if options[:show_count]
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
-        link_to tag + display_count, destination, :style => style
+        link_to (tag + display_count).html_safe, destination, :style => style
       else
         link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
@@ -7,7 +7,7 @@ module TinymceHelper
     output += javascript_include_tag 'tinymce/js/tinymce/jquery.tinymce.min.js'
     output += javascript_include_tag 'tinymce.js'
     output += include_macro_js_files.to_s
-    output
+    output.html_safe
   end
  
   def tinymce_init_js options = {}
@@ -37,7 +37,7 @@ module TinymceHelper
     #cleanup non tinymce options
     options = options.except :mode
  
-    "noosfero.tinymce.init(#{options.to_json})"
+    "noosfero.tinymce.init(#{options.to_json})".html_safe
   end
  
   def menubar mode
@@ -86,7 +86,7 @@ class ApproveArticle &lt; Task
  
   def information
     if article
-      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.')}
+      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.').html_safe}
     else
       {:message => _("The article was removed.")}
     end
@@ -60,9 +60,9 @@ class CreateCommunity &lt; Task
  
   def information
     if description.blank?
-      { :message => _('%{requestor} wants to create community %{subject} with no description.') }
+      { :message => _('%{requestor} wants to create community %{subject} with no description.').html_safe }
     else
-      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>'),
+      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>').html_safe,
         :variables => {:description => description} }
     end
   end
@@ -163,7 +163,7 @@ class CreateEnterprise &lt; Task
   end
  
   def information
-    {:message => _('%{requestor} wants to create enterprise %{subject}.')}
+    {:message => _('%{requestor} wants to create enterprise %{subject}.').html_safe}
   end
  
   def reject_details
@@ -17,7 +17,7 @@ class DocItem
       else
         match
       end
-    end
+    end.html_safe
   end
  
   private
@@ -731,7 +731,7 @@ class Environment &lt; ApplicationRecord
     url << (Noosfero.url_options.key?(:host) ? Noosfero.url_options[:host] : default_hostname)
     url << ':' << Noosfero.url_options[:port].to_s if Noosfero.url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
  
   def to_s
@@ -13,7 +13,7 @@ class InviteFriend &lt; Invitation
   end
  
   def information
-    {:message => _('%{requestor} wants to be your friend.')}
+    {:message => _('%{requestor} wants to be your friend.').html_safe}
   end
  
   def accept_details
@@ -25,7 +25,7 @@ class InviteFriend &lt; Invitation
   end
  
   def target_notification_description
-    _('%{requestor} wants to be your friend.') % {:requestor => requestor.name}
+    (_('%{requestor} wants to be your friend.') % {:requestor => requestor.name}).html_safe
   end
  
   def permission
@@ -25,7 +25,7 @@ class InviteMember &lt; Invitation
   end
  
   def information
-    {:message => _('%{requestor} invited you to join %{linked_subject}.')}
+    {:message => _('%{requestor} invited you to join %{linked_subject}.').html_safe}
   end
  
   def url
@@ -37,7 +37,7 @@ class InviteMember &lt; Invitation
   end
  
   def target_notification_description
-    _('%{requestor} invited you to join %{community}.') % {:requestor => requestor.name, :community => community.name}
+    (_('%{requestor} invited you to join %{community}.') % {:requestor => requestor.name, :community => community.name}).html_safe
   end
  
   def target_notification_message
@@ -646,7 +646,7 @@ class Profile &lt; ApplicationRecord
     url << url_options[:host]
     url << ':' << url_options[:port].to_s if url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
  
 private :generate_url, :url_options
@@ -65,7 +65,7 @@ class SuggestArticle &lt; Task
  
   def information
     variables = requestor.blank? ? {:requestor => sender} : {}
-    { :message => _('%{requestor} suggested the publication of the article: %{subject}.'),
+    { :message => _('%{requestor} suggested the publication of the article: %{subject}.').html_safe,
       :variables => variables }
   end
  
@@ -78,7 +78,7 @@ class SuggestArticle &lt; Task
   end
  
   def target_notification_description
-    _('%{requestor} suggested the publication of the article: %{article}.') %
+    _('%{requestor} suggested the publication of the article: %{article}.').html_safe %
     {:requestor => sender, :article => article_name}
   end
  
@@ -107,7 +107,7 @@
     <%= render :partial => 'profile_editor/person_form', :locals => {:f => f} %>
   <% end %>
  
-  <%= @plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }, "") %>
  
   <%= template_options(:people, 'profile_data') %>
  
@@ -14,7 +14,7 @@
 <div id="enterprise-activation-create-user-form" style="display: none">
   <h3><%= _('Personal signup form') %></h3>
   <%= render :partial => 'signup_form', :locals => { :hidden_atention => true } %>
-  <p><%= message = _('<b>Warning</b>: this form is for your personal information, not of your enterprise. So you will have a personal account that can manage your enterprise.') %></p>
+  <p><%= message = _('<b>Warning</b>: this form is for your personal information, not of your enterprise. So you will have a personal account that can manage your enterprise.').html_safe %></p>
 </div>
  
 <div id="enterprise-activation-login-form" style="display: none">
 <h1><%= _("Invalid change password code") %></h1>
  
 <p>
-<%= _('The code you are using for password change is not valid. Please try to request password change using the <a href="%s">"I forgot my password"</a> functionality.') % url_for(:action => 'forgot_password') %>
+<%= _('The code you are using for password change is not valid. Please try to request password change using the <a href="%s">"I forgot my password"</a> functionality.') % url_for(:action => 'forgot_password').html_safe %>
 </p>
@@ -20,7 +20,7 @@
        </label>
      </div>
  
-     <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+     <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }, "") %>
  
      <% button_bar do %>
        <%= submit_button( 'login', _('Log in') )%>
@@ -15,7 +15,7 @@
  
       <%= f.password_field :password %>
  
-      <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+      <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }, "") %>
  
       <% button_bar do %>
         <%= submit_button( 'login', _('Log in') )%>
@@ -5,5 +5,5 @@
 </p>
  
 <p>
-<%= _("You can <a href='%s'>login</a> now.") % url_for(:action => 'login') %>
+<%= _("You can <a href='%s'>login</a> now.").html_safe % url_for(:action => 'login') %>
 </p>
@@ -6,7 +6,7 @@
       <%= content_tag('li', content_tag('strong', "#{year.to_i} (#{count})")) %>
       <ul class='<%= year.to_i %>-archive'>
         <% block.blog.total_number_of_posts(:by_month, year).each do |month, count| %>
-          <%= content_tag('li', link_to("#{month_name(month.to_i)} (#{count})", block.blog.url.merge(year: year.to_i, month: month.to_i))) %>
+          <%= content_tag('li', link_to("#{month_name(month.to_i)} (#{count})", url_for(block.blog.url.merge(year: year.to_i, month: month.to_i)).html_safe)) %>
         <% end %>
       </ul>
     <% end %>
@@ -8,7 +8,7 @@
       <%= block.sanitize_link(link_to(link[:name], block.expand_address(link[:address]),
                 :target => link[:target],
                 :class => (link[:icon] ? "icon-#{link[:icon]}" : ''),
-                :title => link[:title])) %>
+                :title => link[:title])).html_safe %>
     </li>
   <% end %>
 </ul>
@@ -3,7 +3,7 @@
     <h2><%= _('Logged in as %s') % user.identifier %></h2>
     <ul>
       <li><%= _('User since %s/%s') % [user.created_at.month, user.created_at.year] %></li>
-      <li><%= link_to _('Homepage'), user.public_profile_url %></li>
+      <li><%= link_to _('Homepage'), url_for(user.public_profile_url) %></li>
     </ul>
     <div class="user-actions">
       <%= button(:'menu-logout',  _('Logout'), :controller => 'account', :action => 'logout') %>
@@ -10,8 +10,8 @@
   <% if list.empty? %>
     <div class='common-profile-list-block-none'><%= _('None') %></div>
   <% else %>
-    <ul><%= list %></ul>
+    <ul><%= list.html_safe %></ul>
   <% end %>
 </div>
- 
+
 <br style='clear:both'/>
@@ -9,7 +9,8 @@
     first_text = articles[articles.find_index{|a| a.kind_of? TextArticle}||-1]
     selected = @block.article || first_text
   %>
-  <%= select_tag(
+  <%= 
+    select_tag(
     'block[article_id]',
     options_for_select_with_title(articles.map {|item| [item.path, item.id]}, selected.id),
     :onchange => 'this.changedTo(this.value)'
@@ -35,7 +35,7 @@
           <% else %>
             <div class="no-image"><%= _('No image') %></div>
           <% end %>
-          <div class="catalog-item-extras"><%= extra_content.join("\n") %></div>
+          <div class="catalog-item-extras"><%= safe_join(extra_content, "\n") %></div>
         </li>
  
         <li class="product-link"><%= link_to_product product %></li>
@@ -35,7 +35,7 @@
 <div id="article-formitem">
   <%= labelled_form_field( _('Address'),
         content_tag('code',
-          url_for(@article.url).gsub(/#{@article.slug}$/, '') +
+          url_for(@article.url).gsub(/#{@article.slug}$/, '').html_safe +
           text_field(:article, :slug, :onchange => "warn_value_change()", :size => 25)
         ) +
         content_tag('div',
@@ -14,7 +14,7 @@
     <p><%= _('Numbered lists:') %></p>
     <pre># <%= _('first item') %>
 # <%= _('second item') %></pre>
-    <p><%= h(_('For code, use HTML tags <pre> and <code>, and indent the code inside them:')) %>
+    <p><%= h(_('For code, use HTML tags <pre> and <code>, and indent the code inside them:').html_safe) %>
     </p>
     <pre>
 &lt;pre&gt;
@@ -23,7 +23,7 @@
 &lt;/code&gt;
 &lt;/pre&gt;
 </pre>
-    <p><%= _('See also a more complete <a href="%s">Textile Reference</a>.') % 'http://redcloth.org/hobix.com/textile/' %></p>
+    <p><%= _('See also a more complete <a href="%s">Textile Reference</a>.').html_safe % 'http://redcloth.org/hobix.com/textile/' %></p>
   </div>
 </div>
  
@@ -39,7 +39,7 @@
  
   <script>
     jQuery('#article_tag_list').inputosaurus({
-      autoCompleteSource: <%= "'/myprofile/#{profile.identifier}/cms/search_tags'," %>
+      autoCompleteSource: <%= "'/myprofile/#{profile.identifier}/cms/search_tags',".html_safe %>
       activateFinalResult : true
     })
   </script>
@@ -5,7 +5,7 @@
 <ul class="article-types">
   <% for type in @article_types %>
     <% action = type[:class].name == 'UploadedFile' ? {:action => 'upload_files'} : {:action => 'new', :type => type[:class].name} %>
-    <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to))) do %>
+    <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to)).html_safe) do %>
       <li class="<%= icon_for_new_article(type[:class]) %>" onmouseover="javascript: jQuery(this).addClass('mouseover')" onmouseout="jQuery(this).removeClass('mouseover')">
         <strong><%= type[:short_description] %></strong>
         <div class='description'><%= type[:description] %></div>
@@ -17,11 +17,11 @@
 <h3><%= _("Select the files you want to upload (max size %s):") % UploadedFile.max_size.to_humanreadable %></h3>
 <h4><%= _('Documents, Images, Videos, Audio') %></h4>
  
-<h5><%= _('Uploading files to %s') % content_tag('code', @target) %></h5>
+<h5><%= (_('Uploading files to %s') % content_tag('code', @target)).html_safe%></h5>
  
 <%= form_for('uploaded_file', :url => { :action => 'upload_files' }, :html => {:multipart => true}) do |f| %>
  
-  <%= @plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }, "") %>
  
   <%= render :partial => 'upload_file_form', :locals => { :size => '45'} %>
  
@@ -17,7 +17,7 @@
 <% button_bar(:style => 'margin-bottom: 1em;') do %>
   <% parent_id = ((@article && @article.allow_children?) ? @article : nil) %>
  
-  <%= modal_button('new', _('New content'), :action => 'new', :parent_id => parent_id, :cms => true) %>
+  <%= modal_button('new', _('New content'), url_for({:action => 'new', :parent_id => parent_id, :cms => true}).html_safe) %>
   <%= button(:back, _('Back to control panel'), :controller => 'profile_editor', :action => "index") %>
 <% end %>
  
@@ -26,7 +26,7 @@
     <strong><%= _('Current folder: ') %></strong>
     <%= link_to profile.identifier, :action => 'index' %>
     <% @article.hierarchy.each do |item| %>
-      <%= " / " + ((item == @article) ? item.name.html_safe : link_to(item.slug, :id => item.id).html_safe) %>
+      <%= " / ".html_safe + ((item == @article) ? item.name.html_safe : link_to(item.slug, :id => item.id).html_safe) %>
     <% end %>
   </div>
 <% end %>
@@ -45,9 +45,9 @@
     <tr>
       <td>
         <% if @article.parent %>
-          <%= link_to '.. (' + _('parent folder') + ')', {:action => 'view', :id => @article.parent.id}, :class => 'icon-parent-folder' %>
+          <%= link_to '.. ('.html_safe + _('parent folder') + ')', {:action => 'view', :id => @article.parent.id}, :class => 'icon-parent-folder' %>
         <% else %>
-          <%= link_to '.. (' + _('parent folder') + ')', {:action => 'index'}, :class => 'icon-parent-folder' %>
+          <%= link_to '.. ('.html_safe + _('parent folder') + ')', {:action => 'index'}, :class => 'icon-parent-folder' %>
         <% end %>
       </td>
       <td><%= Folder.short_description %></td>
@@ -43,7 +43,7 @@
         <p/>
         <%= txt2html comment.body %>
       </div>
-      <%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }.join("") %>
+      <%= safe_join(@plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }, "") %>
     </div>
  
     <div class="comment_reply post_comment_box closed" id="comment_reply_to_<%= comment.id %>">
@@ -85,7 +85,7 @@ function check_captcha(button, confirm_action) {
   <%= hidden_field_tag(:view, params[:view])%>
   <%= f.hidden_field(:reply_of_id) %>
  
-  <%= @plugins.dispatch(:comment_form_extra_contents, local_assigns.merge(:comment => @comment)).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:comment_form_extra_contents, local_assigns.merge(:comment => @comment)).collect { |content| instance_exec(&content) }, "") %>
  
   <% button_bar do %>
     <%= submit_button('add', _('Post comment'), :onclick => "if(check_captcha(this)) { save_comment(this) } else { check_captcha(this, save_comment)};return false;") %>
@@ -26,7 +26,7 @@
         <% content = _('Add translation') %>
         <% parent_id = (@page.folder? ? @page : (@page.parent.nil? ? nil : @page.parent)) %>
         <% url = profile.admin_url.merge(:controller => 'cms', :action => 'new', :parent_id => parent_id, :type => @page.type, :article => { :translation_of_id => @page.native_translation.id })%>
-        <%= expirable_button @page, :locale, content, url %>
+        <%= expirable_button @page, :locale, content, url_for(url).html_safe %>
       <% end %>
  
       <% if !@page.archived? %>
@@ -67,7 +67,7 @@
       <div class="blog-cover"><%= image_tag(@page.image.public_filename())%></div>
     <% end %>
     <%= button_without_text(:feed, _('RSS feed'), @page.feed.url, :class => 'blog-feed-link') if @page.has_posts? && @page.feed %>
-    <%= @plugins.dispatch(:article_header_extra_contents, @page).collect { |content| instance_exec(&content) }.join("") %>
+    <%= safe_join(@plugins.dispatch(:article_header_extra_contents, @page).collect { |content| instance_exec(&content) }) %>
     <% if @page.archived? %>
       <%= render :partial => 'cms/archived_warning', :locals => {:article => @page} %>
     <% end %>
@@ -7,7 +7,7 @@
   </span>
 <% unless @no_comments %>
   <span class="comments">
-    <%= (" - %s") % link_to_comments(@page)%>
+    <%= (" - %s").html_safe % link_to_comments(@page) %>
   </span>
 <% end %>
  
@@ -35,7 +35,7 @@
       </div>
     <% end %>
     <div class="event-content">
-      <%= event.body %>
+      <%= raw event.body %>
     </div>
   <% end %>
 </div>
@@ -2,9 +2,9 @@
 <%= button(:back, _('Back to the versions'), {:action => 'article_versions'}) %>
 </div>
  
-<h1><%= _('Changes on "%s"') % @page.title %></h1>
+<h1><%= _('Changes on "%s"').html_safe % @page.title %></h1>
  
-<p> <%= _('Changes from %s &rarr; %s') % [show_time(@v1.updated_at), show_time(@v2.updated_at)] %> </p>
+<p> <%= _('Changes from %s &rarr; %s').html_safe % [show_time(@v1.updated_at), show_time(@v2.updated_at)] %> </p>
  
 <% diffContent = Diffy::Diff.new(@v1.body, @v2.body, :context => 1) %>
 <% if diffContent.to_s(:text).blank? %>
@@ -12,5 +12,5 @@
     <%= _('These versions range have no differences.')%>
   </p>
 <% else %>
-  <%= diffContent.to_s(:html) %>
+  <%= diffContent.to_s(:html).html_safe %>
 <% end %>
@@ -45,24 +45,24 @@
 <% if ! @page.categories.empty? %>
 <div id="article-cat">
   <h4><%= _('Categories') %></h4>
-    <%= @page.categories.map {|item| link_to_category(item, false) }.join(", ") %>
+    <%= safe_join(@page.categories.map {|item| link_to_category(item, false) }, ", ") %>
 </div>
 <% end %>
  
 <% if !@page.tags.empty? %>
   <div id="article-tags">
-    <%= _("This article's tags:") %>
-    <%= @page.tags.map { |t| link_to(t, :controller => 'profile', :profile => @profile.identifier, :action => 'tags', :id => t.name ) }.join("\n") %>
+    <%= _("This article's tags:").html_safe %>
+    <%= safe_join(@page.tags.map { |t| link_to(t, :controller => 'profile', :profile => @profile.identifier, :action => 'tags', :id => t.name ) }, "\n") %>
   </div>
 <% end %>
  
 <%= display_source_info(@page) %>
  
-<%= @plugins.dispatch(:article_extra_contents, @page).collect { |content| instance_exec(&content) }.join("") %>
+<%= safe_join(@plugins.dispatch(:article_extra_contents, @page).collect { |content| instance_exec(&content) }, "") %>
  
 <% if @page.accept_comments? || @comments_count > 0 %>
   <div class="comments" id="comments_list">
-    <h3 <%= 'class="no-comments-yet"' if @comments_count == 0 %>>
+    <h3 <%= 'class="no-comments-yet"'.html_safe if @comments_count == 0 %>>
       <%= display_number_of_comments(@comments_count) %>
     </h3>
  
@@ -5,5 +5,5 @@
       <li><%= link_to text, link, :target => '_blank' %></li>
     <% end %>
   </ul>
-  <%= @toc.text %>
+  <%= raw @toc.text %>
 </div>
@@ -5,7 +5,7 @@
 <p>
 <%=  _('Here you can enable or disable several features of your environment. Each feature represents some funcionality that your environment can use if you enable it.
  
-Check all the features you want to enable for your environment, uncheck all the ones you don\'t want, and use the <em>"Save changes" button</em> to confirm your changes.') %>
+Check all the features you want to enable for your environment, uncheck all the ones you don\'t want, and use the <em>"Save changes" button</em> to confirm your changes.').html_safe %>
 </p>
  
 <%= labelled_form_for(:environment, :url => {:action => 'update'}) do |f| %>
@@ -7,7 +7,7 @@
           <div class='highlighted-news-item post-<%= index + 1 %>-inner'>
             <h2><%= link_to(h(highlighted.title), highlighted.url, :class => 'post-title') %></h2>
             <span class="post-date"><%= show_date(highlighted.published_at, true) %> </span>
-            <div class='headline'><%= highlighted.lead %></div>
+            <div class='headline'><%= raw highlighted.lead %></div>
             <p class='highlighted-news-read-more'>
               <%= link_to(_('Read more'), highlighted.url) %>
             </p>
@@ -49,7 +49,7 @@
     <% end %>
   <% end %>
 <% else %>
-  <%= environment.description %>
+  <%= environment.description.html_safe %>
 <% end %>
  
 <% if environment.enabled?('search_in_home') %>
@@ -3,12 +3,12 @@
  
 <%= form_tag do %>
  
-  <%= [
+  <%= safe_join([
         radio_button_tag(:import_from, "manual", @import_from == "manual", :onclick => 'hide_invite_friend_login_password()') + content_tag('label', _('Manually (empty field)'), :for => "import_from_manual"),
         radio_button_tag(:import_from, "gmail", @import_from == "gmail", :onclick => 'show_invite_friend_login_password(this.value)') + content_tag('label', 'Gmail', :for => 'import_from_gmail'),
         radio_button_tag(:import_from, "yahoo", @import_from == "yahoo", :onclick => 'show_invite_friend_login_password(this.value)') + content_tag('label', 'Yahoo', :for => "import_from_yahoo"),
         radio_button_tag(:import_from, "hotmail", @import_from == "hotmail", :onclick => 'show_invite_friend_login_password(this.value)') + content_tag('label', 'Hotmail', :for => "import_from_hotmail")
-      ].join("\n<br/>\n") %>
+      ], "\n<br/>\n".html_safe) %>
  
   <script type="text/javascript">
     function hide_invite_friend_login_password() {
@@ -7,22 +7,23 @@
     </span>
   <% else %>
     <span class='not-logged-in'>
-      <%= _("<span class='login'>%s</span>") % modal_inline_link_to('<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>', login_url, '#inlineLoginBox', :id => 'link_login') %>
-      <%= @plugins.dispatch(:alternative_authentication_link).collect { |content| instance_exec(&content) }.join("") %>
+      <%= usermenu_notlogged_in %>
+      <% @plugins.dispatch(:alternative_authentication_link).collect do |content|%>
+         <%= instance_exec(&content) %> 
+      <%end%>
  
-    <div id='inlineLoginBox' style='display: none;'>
-      <%= render :file => 'account/login', :locals => { :is_popin => true } %>
-    </div>
+      <div id='inlineLoginBox' style='display: none;'>
+        <%= render :file => 'account/login', :locals => { :is_popin => true } %>
+      </div>
  
-    <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
-      <%= _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to('<strong>' + _('Sign up') + '</strong>', :controller => 'account', :action => 'signup')%>
-    <% end %>
-
-  </span>
+      <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
+        <%= usermenu_signup %>
+      <% end %>
+    </span>
   <% end %>
   <form action="/search/articles" id="top-search" class="search_form clean" method="get">
     <input name="query" size="15" title="<%=_('Search...')%>" onfocus="this.form.className='focused';" onblur="this.form.className=''" />
-    <div><%=_('Press <strong>Enter</strong> to send the search query.')%></div>
+    <div><%=_('Press <strong>Enter</strong> to send the search query.').html_safe%></div>
     <%= javascript_tag 'jQuery("#user form input").hint();' %>
   </form>
 </div><!-- end id="user" -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>" class="<%= h html_tag_classes %>">
   <head>
-    <title><%= h page_title %></title>
+    <title><%= h page_title.html_safe %></title>
     <%= yield(:feeds) %>
     <!--<meta http-equiv="refresh" content="1"/>-->
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
@@ -20,24 +20,33 @@
     <%# Add custom tags/styles/etc via content_for %>
     <%= yield :head %>
     <%=
-      @plugins.dispatch(:head_ending).map do |content|
-        if content.respond_to?(:call) then instance_exec(&content).to_s.html_safe else content.to_s.html_safe end
-      end.join("\n")
+      str = (@plugins.dispatch(:head_ending).map do |content|
+              if content.respond_to?(:call) then 
+                instance_exec(&content).to_s
+              else 
+                content.to_s
+              end
+            end)
+      safe_join(str, "\n")
     %>
  
     <script type="text/javascript">
-      DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
-      noosfero.profile = <%= (@profile.identifier if @profile).to_json %>
+      DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'".html_safe %>;
+      noosfero.profile = <%= (@profile.identifier if @profile).to_json.html_safe %>
     </script>
  
   </head>
   <body class="<%= h body_classes %>">
     <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
-
     <%=
-      @plugins.dispatch(:body_beginning).map do |content|
-        if content.respond_to?(:call) then instance_exec(&content).to_s.html_safe else content.to_s.html_safe end
-      end.join("\n")
+      str = (@plugins.dispatch(:body_beginning).map do |content|
+              if content.respond_to?(:call) then 
+                instance_exec(&content).to_s
+              else 
+                content.to_s 
+              end
+            end)
+      safe_join(str, "\n")
     %>
     <div id="global-header">
       <%= global_header %>
@@ -75,9 +84,14 @@
     <%= noosfero_layout_features %>
     <%= addthis_javascript %>
     <%=
-      @plugins.dispatch(:body_ending).map do |content|
-        if content.respond_to?(:call) then instance_exec(&content).html_safe else content.html_safe end
-      end.join("\n")
+      str = (@plugins.dispatch(:body_ending).map do |content|
+              if content.respond_to?(:call) then 
+                instance_exec(&content)
+              else 
+                content
+              end
+            end)
+      safe_join(str, "\n")
     %>
   </body>
 </html>
@@ -16,7 +16,7 @@
   <% if profile.user.enable_email %>
     <h2><%= ('E-mail address') %></h2>
     <ul>
-      <%= profile.email_addresses.map{|i| content_tag('li', i)}.join("\n") %>
+      <%= safe_join(profile.email_addresses.map{|i| content_tag('li', i)}, "\n") %>
     </ul>
     <h2><%= _('Configuration') %></h2>
     <ul>
@@ -31,7 +31,7 @@
   <% else %>
  
     <h2><%= _("Enable e-Mail account below:") %></h2>
-    <ul><%= profile.email_addresses.map{|i| content_tag('li', i)}.join("\n") %></ul>
+    <ul><%= safe_join(profile.email_addresses.map{|i| content_tag('li', i)}, "\n") %></ul>
     <blockquote><%= _("You'll be able to access a webmail from your user menu.") %></blockquote>
     <% button_bar do %>
       <%= button(:ok, _('Enable e-Mail'), { :action => 'enable' }, :method => 'post') %>
@@ -4,7 +4,7 @@
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
   </head>
   <body style="margin: 0">
-    <%= word_wrap(@message) %>
+    <%= raw word_wrap(@message) %>
     <p>
       --<br/>
       <%= @signature_message %><br/>
@@ -14,7 +14,7 @@
     </div>
     <div id='product-extra-content'>
       <% extra_content = @plugins.dispatch(:product_info_extras, @product).collect { |content| instance_exec(&content) } %>
-      <%= extra_content.join("\n") %>
+      <%= safe_join(extra_content, "\n") %>
     </div>
     <div id='product-info'>
       <%= render :partial => 'manage_products/display_info' %>
@@ -34,13 +34,13 @@
   <div style='margin-bottom: 0.5em' id='community-join-before'>
     <%= radio_button 'community', 'closed', 'true', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).') %>
+      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).').html_safe %>
     </div>
   </div>
   <div id='community-join-after'>
     <%= radio_button 'community', 'closed', 'false', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).') %>
+      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).').html_safe %>
     </div>
   </div>
  
@@ -2,7 +2,7 @@
  
 <%= _("You have %d pending task(s).") % @tasks.size %>
  
-<%= @tasks.map{|i| " * #{i.description}"}.join("\n") %>
+<%= safe_join(@tasks.map{|i| " * #{i.description}"}, "\n") %>
  
 <%= _("Click in address below to process task(s):") %>
  
@@ -11,7 +11,7 @@
 <% pending_tasks = @person.pending_tasks_for_organization(organization) %>
 <%= _("%s has %d pending task(s).") % [organization.name, pending_tasks.size] %>
  
-<%= pending_tasks.map{|i| " * #{i.information}"}.join("\n") %>
+<%= safe_join(pending_tasks.map{|i| " * #{i.information}"}, "\n") %>
  
 <%= _("Click in address below to process task(s):") %>
  
@@ -20,6 +20,6 @@
   <%= pagination_links @tagged, :param_name => 'npage' %>
  
   <div>
-    <%= link_to _('See content tagged with "%s" in the entire site') % escaped_tag, :controller => 'search', :action => 'tag', :tag => @tag %>
+    <%= link_to (_('See content tagged with "%s" in the entire site') % escaped_tag).html_safe, :controller => 'search', :action => 'tag', :tag => @tag %>
   </div>
 <% end %>
@@ -5,7 +5,7 @@
 <% else %>
   <% unless profile.description.blank? %>
     <div class='public-profile-description'>
-      <%= profile.description %>
+      <%= raw profile.description %>
     </div>
   <% end %>
   <div id='public-profile-search'>
@@ -34,13 +34,13 @@
   <div style='margin-bottom: 0.5em'>
     <%= radio_button 'profile_data', 'closed', 'true', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).') %>
+      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).').html_safe %>
     </div>
   </div>
   <div>
     <%= radio_button 'profile_data', 'closed', 'false', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).') %>
+      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).').html_safe %>
     </div>
   </div>
   <br>
@@ -52,13 +52,13 @@
 <div style='margin-bottom: 0.5em'>
   <%= radio_button 'profile_data', 'moderated_articles', 'true', :style => 'float: left' %>
   <div style='margin-left: 30px'>
-    <%= _('<strong>Before</strong> being published in this group (a moderator has to accept the article in pending request before the article be listed as a article of this group).') %>
+    <%= _('<strong>Before</strong> being published in this group (a moderator has to accept the article in pending request before the article be listed as a article of this group).').html_safe %>
   </div>
 </div>
 <div>
   <%= radio_button 'profile_data', 'moderated_articles', 'false', :style => 'float: left' %>
   <div style='margin-left: 30px'>
-    <%= _('<strong>After</strong> being published in this group (a moderator can always remove publicated articles later).') %>
+    <%= _('<strong>After</strong> being published in this group (a moderator can always remove publicated articles later).').html_safe %>
   </div>
 </div>
  
@@ -4,7 +4,7 @@
  
   <%= required f.text_field(:name) %>
  
-  <%= @plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }, "") %>
  
 <% if @environment.enabled?('enable_organization_url_change') %>
   <script type="text/javascript">
@@ -41,7 +41,7 @@
     <div id="profile-identifier-formitem">
       <%= required labelled_form_field( _('Address'),
             content_tag('code',
-              url_for(profile.url).gsub(/#{profile.identifier}$/, '') +
+              url_for(profile.url).gsub(/#{profile.identifier}$/, '').html_safe +
               text_field(:profile_data, :identifier, :onchange => "warn_value_change()", :size => 25)
             ) +
             content_tag('div',
@@ -4,7 +4,7 @@
   <div class='pending-tasks'>
     <h2><%= _('You have pending requests') %></h2>
     <ul>
-      <%= @pending_tasks.map {|task| content_tag('li', task_information(task))}.join %>
+      <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task))}) %>
     </ul>
     <%= button(:todo, _('Process requests'), :controller => 'tasks', :action => 'index') %>
   </div>
@@ -16,7 +16,7 @@
     </div>
   </div>
  
-  <%= @plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }, "") %>
  
   <div class="formfieldline">
     <%= label_tag("private_token", _("Private Token")) %>
@@ -26,20 +26,20 @@
  
   <% if profile.person? %>
     <div>
-      <%= labelled_radio_button _('Public &mdash; show my contents to all internet users'), 'profile_data[public_profile]', true, @profile.public_profile? %>
+      <%= labelled_radio_button _('Public &mdash; show my contents to all internet users').html_safe, 'profile_data[public_profile]', true, @profile.public_profile? %>
     </div>
     <div>
-      <%= labelled_radio_button _('Private &mdash; show my contents only to friends'), 'profile_data[public_profile]', false, !@profile.public_profile? %>
+      <%= labelled_radio_button _('Private &mdash; show my contents only to friends').html_safe, 'profile_data[public_profile]', false, !@profile.public_profile? %>
     </div>
   <% else %>
     <div>
-      <%= labelled_check_box _("Secret &mdash; hide the community and all its contents for non members and other people can't join this community unless they are invited to."), 'profile_data[secret]', true, profile.secret, :class => "profile-secret-box" %>
+      <%= labelled_check_box _("Secret &mdash; hide the community and all its contents for non members and other people can't join this community unless they are invited to.").html_safe, 'profile_data[secret]', true, profile.secret, :class => "profile-secret-box" %>
     </div>
     <div>
-      <%= labelled_radio_button _('Public &mdash; show content of this group to all internet users'), 'profile_data[public_profile]', true, @profile.public_profile?, :class => "public-community-button" %>
+      <%= labelled_radio_button _('Public &mdash; show content of this group to all internet users').html_safe, 'profile_data[public_profile]', true, @profile.public_profile?, :class => "public-community-button" %>
     </div>
     <div>
-      <%= labelled_radio_button _('Private &mdash; show content of this group only to members'), 'profile_data[public_profile]', false, !@profile.public_profile?, :class => "private-community-button" %>
+      <%= labelled_radio_button _('Private &mdash; show content of this group only to members').html_safe, 'profile_data[public_profile]', false, !@profile.public_profile?, :class => "private-community-button" %>
     </div>
   <% end %>
  
@@ -60,9 +60,9 @@
   )%>
  
   <%=
-    @plugins.dispatch(:profile_editor_extras).map do |content|
+    safe_join(@plugins.dispatch(:profile_editor_extras).map do |content|
       content.kind_of?(Proc) ? self.instance_exec(&content) : content
-    end.join("\n")
+    end, "\n")
   %>
  
   <%= select_categories(:profile_data, _('Select the categories of your interest'), 2) %>
@@ -7,7 +7,7 @@
  
         <p><%= _('Roles:') %> </p>
         <% @data[:roles].each do |r| %>
-          <%= labelled_check_box(r.name, 'filters[roles][]', r.id, @filters[:roles].include?(r.id.to_s), :add_hidden => false) %><br/>
+          <%= raw labelled_check_box(r.name, 'filters[roles][]', r.id, @filters[:roles].include?(r.id.to_s), :add_hidden => false) %><br/>
         <% end %>
         <p>
           <%= submit_button(:search, _('Search')) %>
@@ -2,7 +2,7 @@
  
 <div class="search-article-author-changes">
   <% if article.last_changed_by and article.last_changed_by != article.profile %>
-    <span><%= _('Updated by %{name} at %{date}') % {:name => link_to(article.last_changed_by.name, article.last_changed_by.url),
+    <span><%= _('Updated by %{name} at %{date}').html_safe % {:name => link_to(article.last_changed_by.name, article.last_changed_by.url),
       :date => show_date(article.updated_at) } %></span>
   <% else %>
     <span><%= _('Last update: %s.') % show_date(article.updated_at) %></span>
 <% extra_content = @plugins.dispatch(:asset_product_extras, product).collect { |content| instance_exec(&content) } %>
-<% extra_properties = @plugins.dispatch(:asset_product_properties, product)%>
+<% extra_properties = @plugins.dispatch(:asset_product_properties, product) %>
  
 <li class="search-product-item <%= 'highlighted' if product.highlighted? %>">
  
@@ -77,9 +77,9 @@
  
   <div style="clear: both"></div>
  
-  <%= extra_content.join('\n') %>
+  <%= safe_join(extra_content, '\n') %>
   <% extra_properties.each do |property| %>
-    <div><%= property[:name] + ': ' + instance_exec(&property[:content]) %></div>
+    <div><%= ''.html_safe + property[:name] + ': ' + instance_exec(&property[:content]) %></div>
   <% end %>
  
 </li>
 <h2>
-  <%= _('Tagged with "%s"') % content_tag('code', @tag) %>
+  <%= _('Tagged with "%s"').html_safe % content_tag('code', @tag) %>
 </h2>
  
 <% button_bar do %>
@@ -6,9 +6,9 @@
       </div>
       <span class='profile-details'>
         <strong><%= group.name %></strong><br/>
-        <%= _('Role: %s') % rolename_for(profile, group) + '<br/>' if profile.role_assignments.find_by(resource_id: group.id) %>
+        <%= raw _('Role: %s') % rolename_for(profile, group) + '<br/>' if profile.role_assignments.find_by(resource_id: group.id) %>
         <%= _('Type: %s') % _(group.class.identification) %> <br/>
-        <%= _('Description: %s') % group.description  + '<br/>' if group.community? %>
+        <%= raw _('Description: %s') % group.description  + '<br/>' if group.community? %>
         <%= _('Members: %s') % group.members_count.to_s %> <br/>
         <%= _('Created at: %s') % show_date(group.created_at) unless group.enterprise? %> <br/>
         <% button_bar do %>
 <%= content = _("Roles:")+"<br />"
 roles = Profile::Roles.organization_member_roles(task.target.environment.id) + profile.custom_roles
 roles.each do |role|
-  content += labelled_check_box(role.name, "tasks[#{task.id}][task][roles][]", role.id, false)+"<br />"
+  content += labelled_check_box(role.name, "tasks[#{task.id}][task][roles][]", role.id, false) + "<br />".html_safe
 end
-content_tag('p', content, :class => 'member-classify-suggestion')
+content_tag('p', content.html_safe, :class => 'member-classify-suggestion').html_safe
 %>
@@ -3,7 +3,7 @@
   if icon_info[:type] == :profile_image
     icon = profile_image(icon_info[:profile], :minor)
   elsif icon_info[:type] == :defined_image
-    icon = "<img src='#{icon_info[:src]}' alt='#{icon_info[:name]}' />"
+    icon = "<img src='#{icon_info[:src]}' alt='#{icon_info[:name]}' />".html_safe
   end
  
   if icon_info[:url]
@@ -3,7 +3,7 @@
 <ul>
   <% @tasks.each do |task| %>
     <li>
-      <strong><%= task.respond_to?(:title) ? link_to( task.title, :action => 'ticket_details', :id => task.id) : task.information %></strong><br/>
+      <strong><%= task.respond_to?(:title) ? link_to( task.title, :action => 'ticket_details', :id => task.id).html_safe : task.information %></strong><br/>
       <small>
         <%= _('Created:') + ' ' + show_date(task.created_at) %>
         &nbsp; &#151; &nbsp;
@@ -1,10 +0,0 @@
-#From: https://github.com/coletivoEITA/noosfero-ecosol/blob/57908cde4fe65dfe22298a8a7f6db5dba1e7cc75/config/initializers/html_safe.rb
-
-# Disable Rails html autoescaping. This is due to noosfero using too much helpers/models to output html.
-# It it would change too much code and make it hard to maintain.
-# FIXME THIS IS SO WRONG
-class Object
-  def html_safe?
-    true
-  end
-end
@@ -611,7 +611,7 @@ class Noosfero::Plugin
   end
  
   # -> Perform extra transactions related to profile in profile editor
-  # returns = true in success or raise and exception if it could not update the data
+  # returns = true in success or raise an exception if it could not update the data
   def profile_editor_transaction_extras
     nil
   end
@@ -49,7 +49,7 @@ class BreadcrumbsPlugin::ContentBreadcrumbsBlock &lt; Block
  
   def content(args={})
     block = self
-    proc do
+    ret = (proc do
       trail = block.trail(@page, @profile, params)
       if !trail.empty?
         separator = content_tag('span', ' > ', :class => 'separator')
@@ -63,11 +63,12 @@ class BreadcrumbsPlugin::ContentBreadcrumbsBlock &lt; Block
           breadcrumb << content_tag('div', section_name, :class => 'section-name')
         end
  
-        breadcrumb
+        breadcrumb.html_safe
       else
         ''
       end
-    end
+    end)
+    ret
   end
  
   def cacheable?
@@ -23,7 +23,7 @@
       <%= link_to(
             content_tag('span','',:class => 'community-block-button icon-arrow'),
             '#',
-            :onclick => "toggleSubmenu(this,'',#{CGI::escapeHTML(links.to_json)}); return false;",
+            :onclick => "toggleSubmenu(this,'',#{CGI::escapeHTML(links.to_json)}); return false;".html_safe,
             :class => 'simplemenu-trigger') %>
  
       <% end %>
@@ -86,15 +86,16 @@ class ContextContentPlugin::ContextContentBlock &lt; Block
  
   def content(args={})
     block = self
-    proc do
+    ret = proc do
       contents = block.contents(@page)
       parent_title = block.parent_title(contents)
-      if !contents.blank?
+      if contents.present?
         render(:file => 'blocks/context_content', :locals => {:block => block, :contents => contents, :parent_title => parent_title})
       else
         ''
       end
     end
+    ret
   end
  
   def cacheable?
@@ -6,9 +6,9 @@
 <% if @submission.id.nil? %>
   <% if @form.expired? %>
     <% if @form.will_open? %>
-      <h2><%= _('Sorry, you can\'t fill this form yet') %></h2>
+      <h2><%= _('Sorry, you can\'t fill this form yet').html_safe %></h2>
     <% else %>
-      <h2><%= _('Sorry, you can\'t fill this form anymore') %></h2>
+      <h2><%= _('Sorry, you can\'t fill this form anymore').html_safe %></h2>
     <% end %>
   <% end %>
  
@@ -177,9 +177,9 @@ class DisplayContentBlock &lt; Block
  
           content_sections += read_more_section if !read_more_section.blank?
 #raise sections.inspect
-          content_tag('li', content_sections)
+          content_tag('li', content_sections.html_safe)
         end
-      }.join(" "))
+      }.join(" ").html_safe)
     end
   end
  
@@ -3,11 +3,11 @@
   ev_days_tag = ''
   if event.duration > 1
     ev_days_tag = content_tag('time',
-      n_('Duration: 1 day', 'Duration: %s days', event.duration) % "<b>#{event.duration}</b>",
+      n_('Duration: 1 day', 'Duration: %s days', event.duration).html_safe % "<b>#{event.duration}</b>".html_safe,
       :itemprop => 'endDate',
       :datetime => show_date(event.end_date) + 'T00:00',
       :class => 'duration',
-      :title => show_date(event.start_date) + ' &mdash; ' + time_left_str
+      :title => (show_date(event.start_date) + ' &mdash; ' + time_left_str).html_safe
     )
   end
  
@@ -16,7 +16,7 @@
   img_class = img.blank? ? 'no-img' : 'has-img'
 %>
 <%=
-  link_to([
+  link_to(safe_join([
       content_tag('time',
         block.date_to_html(event.start_date),
         :itemprop => 'startDate',
@@ -33,7 +33,7 @@
                   :itemtype => 'http://schema.org/Place',
                   :itemprop => :location),
       content_tag('span', time_left_str, :class => 'days-left ' + time_class)
-    ].join("\n"),
+    ], "\n"),
     (event.link.blank? ? event.url : event.link),
     :class => 'ev-days-' + event.duration.to_s,
     :itemprop => :url
@@ -55,7 +55,7 @@ class MetadataPlugin::Base &lt; Noosfero::Plugin
           end
         end
       end
-      r.join
+      safe_join(r)
     end
   end
  
@@ -110,11 +110,11 @@ class NewsletterPlugin::Newsletter &lt; ApplicationRecord
   include DatesHelper
  
   def message_to_public_link
-    content_tag(:p, _("If you can't view this email, %s.") % link_to(_('click here'), '{mailing_url}'), :id => 'newsletter-public-link')
+    content_tag(:p, (_("If you can't view this email, %s.") % link_to(_('click here'), '{mailing_url}')).html_safe, :id => 'newsletter-public-link').html_safe
   end
  
   def message_to_unsubscribe
-    content_tag(:div, _("This is an automatically generated email, please do not reply. If you do not wish to receive future newsletter emails, %s.") % link_to(_("cancel your subscription here"), self.unsubscribe_url, :style => CSS['public-link']), :style => CSS['newsletter-unsubscribe'], :id => 'newsletter-unsubscribe')
+    content_tag(:div, _("This is an automatically generated email, please do not reply. If you do not wish to receive future newsletter emails, %s.").html_safe % link_to(_("cancel your subscription here"), self.unsubscribe_url, :style => CSS['public-link']), :style => CSS['newsletter-unsubscribe'], :id => 'newsletter-unsubscribe').html_safe
   end
  
   def read_more(link_address)
@@ -130,13 +130,13 @@ class NewsletterPlugin::Newsletter &lt; ApplicationRecord
   end
  
   def body(data = {})
-    content_tag(:div, content_tag(:div, message_to_public_link, :style => CSS['newsletter-public-link'])+content_tag(:table,(self.image.nil? ? '' : content_tag(:tr, content_tag(:th, tag(:img, :src => "#{self.environment.top_url}#{self.image.public_filename}", :style => CSS['header-image']),:colspan => 2),:style => CSS['newsletter-header']))+self.posts(data).map do |post|
+    content_tag(:div, content_tag(:div, message_to_public_link, :style => CSS['newsletter-public-link']).html_safe+content_tag(:table,(self.image.nil? ? '' : content_tag(:tr, content_tag(:th, tag(:img, :src => "#{self.environment.top_url}#{self.image.public_filename}", :style => CSS['header-image']),:colspan => 2),:style => CSS['newsletter-header'])).html_safe+self.posts(data).map do |post|
         if post.image
           post_with_image(post)
         else
           post_without_image(post)
         end
-      end.join()+content_tag(:tr, content_tag(:td, self.footer, :colspan => 2)),:style => CSS['breakingnews'])+content_tag(:div,message_to_unsubscribe, :style => CSS['newsletter-unsubscribe']),:style => CSS['breakingnews-wrap'])
+      end.join().html_safe+content_tag(:tr, content_tag(:td, self.footer, :colspan => 2)),:style => CSS['breakingnews']).html_safe+content_tag(:div,message_to_unsubscribe, :style => CSS['newsletter-unsubscribe']),:style => CSS['breakingnews-wrap']).html_safe
   end
  
   def default_subject
@@ -15,7 +15,7 @@
             <%= show_date(headline.published_at) %>
           </div>
           <div class='tags'>
-            <%= headline.tags.map { |t| link_to(t, :controller => 'profile', :profile => member.identifier, :action => 'tags', :id => t.name ) }.join("\n") %>
+            <%= safe_join(headline.tags.map { |t| link_to(t, :controller => 'profile', :profile => member.identifier, :action => 'tags', :id => t.name ) }, "\n") %>
           </div>
         </div>
       </div>
@@ -83,7 +83,7 @@ class RelevantContentPlugin::RelevantContentBlock &lt; Block
         end
       end
     end
-    return content
+    return content.html_safe
   end
  
   def timeout
@@ -17,7 +17,7 @@ class RequireAuthToCommentPlugin &lt; Noosfero::Plugin
   end
  
   def profile_editor_extras
-    expanded_template('profile-editor-extras.html.erb')
+    expanded_template('profile-editor-extras.html.erb').html_safe
   end
  
   def stylesheet?
@@ -6,11 +6,11 @@
 <script>
   jQuery( document ).ready(function( $ ) {
     <% actions.each_with_index do |action, index| %>
-      <%= "siteTourPlugin.add('#{j action[:group_name]}', '#{j action[:selector]}', '#{j parse_tour_description(action[:description])}', #{index + 1});" %>
+      <%= raw "siteTourPlugin.add('#{j action[:group_name]}', '#{j action[:selector]}', '#{j parse_tour_description(action[:description])}', #{index + 1});" %>
     <% end %>
  
     <% (group_triggers||[]).each do |group| %>
-      <%= "siteTourPlugin.addGroupTrigger('#{j group[:group_name]}', '#{j group[:selector]}', '#{j group[:event]}');" %>
+      <%= "siteTourPlugin.addGroupTrigger('#{j group[:group_name]}', '#{j group[:selector]}', '#{j group[:event]}');".html_safe %>
     <% end %>
  
     siteTourPlugin.setOption('nextLabel', '<%= _('Next') %>');
@@ -46,8 +46,8 @@
   var currentProfile = <%= filter_visible_attr_profile(profile).to_json %>;
   sniffer.search.map.load({
     "zoom": <%= GoogleMaps.initial_zoom.to_json %>,
-    "balloonUrl": <%= url_for(:controller => :sniffer_plugin_myprofile, :action => :map_balloon, :id => "_id_", :escape => false).to_json %>,
-    "myBalloonUrl": <%= url_for(:controller => :sniffer_plugin_myprofile, :action => :my_map_balloon, :escape => false).to_json %>,
+    "balloonUrl": <%= raw url_for(:controller => :sniffer_plugin_myprofile, :action => :map_balloon, :id => "_id_", :escape => false).to_json %>,
+    "myBalloonUrl": <%= raw url_for(:controller => :sniffer_plugin_myprofile, :action => :my_map_balloon, :escape => false).to_json %>,
     "profiles": <%=
       @profiles_data.map do |id, profile_data|
         data = filter_visible_attr_profile(profile_data[:profile])
@@ -55,7 +55,7 @@
         data[:suppliersProducts] = filter_visible_attr_suppliers_products(profile_data[:suppliers_products])
         data[:icon] = profile_data[:profile][:icon]
         data
-      end.to_json
+      end.to_json.html_safe
     %>
   });
 </script>
@@ -3,7 +3,7 @@
     <%= link_to _('Manual'), '/doc', id: "link-to-doc", class: 'icon-help' %>
   </div><!-- end id="footer-links" -->
   <div id="copyright">
-    <p><%= _('This social network uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/') %></p>
+    <p><%= (_('This social network uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/')).html_safe %></p>
   </div><!-- end id="copyright" -->
   <%= language_chooser(environment) %>
 </div>
 <div id="footer-content">
-  <p><%= _('This site uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/') %></p>
+  <p><%= _('This site uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/').html_safe %></p>
 </div>
...	...	@@ -108,7 +108,7 @@ class CmsController < MyProfileController
108	108	end
109	109
110	110	def new
111		- # FIXME this method should share some logic wirh edit !!!
	111	+ # FIXME this method should share some logic with edit !!!
112	112
113	113	@success_back_to = params[:success_back_to]
114	114	# user must choose an article type first
...	...	@@ -365,7 +365,7 @@ class CmsController < MyProfileController
365	365	def search
366	366	query = params[:q]
367	367	results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
368		- render :text => article_list_to_json(results), :content_type => 'application/json'
	368	+ render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
369	369	end
370	370
371	371	def search_article_privacy_exceptions
...	...
...	...	@@ -29,6 +29,7 @@ class ProfileEditorController < MyProfileController
29	29	Image.transaction do
30	30	begin
31	31	@plugins.dispatch(:profile_editor_transaction_extras)
	32	+ # TODO: This is unsafe! Add sanitizer
32	33	@profile_data.update!(params[:profile_data])
33	34	redirect_to :action => 'index', :profile => profile.identifier
34	35	rescue Exception => ex
...	...
...	...	@@ -5,22 +5,22 @@ module ActionTrackerHelper
5	5	end
6	6
7	7	def new_friendship_description ta
8		- n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {
	8	+ n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
9	9	num: ta.get_friend_name.size,
10		- name: ta.collect_group_with_index(:friend_name) do \|n,i\|
	10	+ name: safe_join(ta.collect_group_with_index(:friend_name) do \|n,i\|
11	11	link_to image_tag(ta.get_friend_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/person-icon.png")),
12	12	ta.get_friend_url[i], title: n
13		- end.join
	13	+ end)
14	14	}
15	15	end
16	16
17	17	def join_community_description ta
18		- n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {
	18	+ n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
19	19	num: ta.get_resource_name.size,
20	20	name: ta.collect_group_with_index(:resource_name) do \|n,i\|
21		- link_to image_tag(ta.get_resource_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/community-icon.png")),
	21	+ link = link_to image_tag(ta.get_resource_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/community-icon.png")),
22	22	ta.get_resource_url[i], title: n
23		- end.join
	23	+ end.join.html_safe
24	24	}
25	25	end
26	26
...	...
...	...	@@ -99,7 +99,6 @@ module ApplicationHelper
99	99	#
100	100	# TODO: implement correcly the 'Help' button click
101	101	def help(content = nil, link_name = nil, options = {}, &block)
102		-
103	102	link_name \|\|= _('Help')
104	103
105	104	@help_message_id \|\|= 1
...	...	@@ -122,7 +121,7 @@ module ApplicationHelper
122	121	button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
123	122	close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
124	123
125		- text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
	124	+ text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
126	125
127	126	unless block.nil?
128	127	concat(text)
...	...	@@ -362,8 +361,8 @@ module ApplicationHelper
362	361	def popover_menu(title,menu_title,links,html_options={})
363	362	html_options[:class] = "" unless html_options[:class]
364	363	html_options[:class] << " menu-submenu-trigger"
365		- html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
366	364
	365	+ html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false".html_safe
367	366	link_to(content_tag(:span, title), '#', html_options)
368	367	end
369	368
...	...	@@ -473,9 +472,9 @@ module ApplicationHelper
473	472	map(&:role)
474	473	names = []
475	474	roles.each do \|role\|
476		- names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}")
	475	+ names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}").html_safe
477	476	end
478		- names.join(', ')
	477	+ safe_join(names, ', ')
479	478	end
480	479
481	480	def role_color(role, env_id)
...	...	@@ -911,7 +910,8 @@ module ApplicationHelper
911	910	end
912	911
913	912	def admin_link
914		- user.is_admin?(environment) ? link_to('<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
	913	+ admin_icon = '<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>'
	914	+ user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
915	915	end
916	916
917	917	def usermenu_logged_in
...	...	@@ -920,23 +920,39 @@ module ApplicationHelper
920	920	if count > 0
921	921	pending_tasks_count = link_to(count.to_s, user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
922	922	end
	923	+ user_identifier = "<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>"
	924	+ welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
	925	+ welcome_span = _("<span class='welcome'>Welcome,</span> %s") % welcome_link.html_safe
	926	+ ctrl_panel_icon = '<i class="icon-menu-ctrl-panel"></i>'
	927	+ ctrl_panel_section = '<strong>' + ctrl_panel_icon + _('Control panel') + '</strong>'
	928	+ ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
	929	+ logout_icon = '<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>'
	930	+ logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
	931	+ join_result = safe_join(
	932	+ [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
	933	+ manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
	934	+ pending_tasks_count.html_safe, logout_link.html_safe], "")
	935	+ join_result
	936	+ end
923	937
924		- (_("<span class='welcome'>Welcome,</span> %s") % link_to("<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
925		- render_environment_features(:usermenu) +
926		- admin_link +
927		- manage_enterprises +
928		- manage_communities +
929		- link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
930		- pending_tasks_count +
931		- link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
	938	+ def usermenu_notlogged_in
	939	+ login_str = '<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>'
	940	+ ret = _("<span class='login'>%s</span>") % modal_inline_link_to(login_str.html_safe, login_url, '#inlineLoginBox', :id => 'link_login')
	941	+ return ret.html_safe
932	942	end
933	943
	944	+ def usermenu_signup
	945	+ signup_str = '<strong>' + _('Sign up') + '</strong>'
	946	+ ret = _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to(signup_str.html_safe, :controller => 'account', :action => 'signup')
	947	+ return ret.html_safe
	948	+
	949	+ end
934	950	def limited_text_area(object_name, method, limit, text_area_id, options = {})
935		- content_tag(:div, [
	951	+ content_tag(:div, safe_join([
936	952	text_area(object_name, method, { :id => text_area_id, :onkeyup => "limited_text_area('#{text_area_id}', #{limit})" }.merge(options)),
937	953	content_tag(:p, content_tag(:span, limit) + ' ' + _(' characters left'), :id => text_area_id + '_left'),
938	954	content_tag(:p, _('Limit of characters reached'), :id => text_area_id + '_limit', :style => 'display: none')
939		- ].join, :class => 'limited-text-area')
	955	+ ]), :class => 'limited-text-area')
940	956	end
941	957
942	958	def expandable_text_area(object_name, method, text_area_id, options = {})
...	...	@@ -1032,8 +1048,8 @@ module ApplicationHelper
1032	1048	end
1033	1049
1034	1050	def render_tabs(tabs)
1035		- titles = tabs.inject(''){ \|result, tab\| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
1036		- contents = tabs.inject(''){ \|result, tab\| result << content_tag(:div, tab[:content], :id => tab[:id]) }
	1051	+ titles = tabs.inject(''.html_safe){ \|result, tab\| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
	1052	+ contents = tabs.inject(''.html_safe){ \|result, tab\| result << content_tag(:div, tab[:content], :id => tab[:id]) }
1037	1053
1038	1054	content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
1039	1055	end
...	...	@@ -1051,7 +1067,7 @@ module ApplicationHelper
1051	1067	def expirable_link_to(expired, content, url, options = {})
1052	1068	if expired
1053	1069	options[:class] = (options[:class] \|\| '') + ' disabled'
1054		- content_tag('a', ' '+content_tag('span', content), options)
	1070	+ content_tag('a', ' '.html_safe+content_tag('span', content), options)
1055	1071	else
1056	1072	if options[:modal]
1057	1073	options.delete(:modal)
...	...	@@ -1084,7 +1100,7 @@ module ApplicationHelper
1084	1100
1085	1101	radios = templates.map do \|template\|
1086	1102	content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template)))
1087		- end.join("\n")
	1103	+ end.join("\n").html_safe
1088	1104
1089	1105	content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
1090	1106	content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
...	...	@@ -1124,7 +1140,7 @@ module ApplicationHelper
1124	1140	content_tag(:div, :class => 'errorExplanation', :id => 'errorExplanation') do
1125	1141	content_tag(:h2, _('Errors while saving')) +
1126	1142	content_tag(:ul) do
1127		- errors.map { \|err\| content_tag(:li, err) }.join
	1143	+ safe_join(errors.map { \|err\| content_tag(:li, err) })
1128	1144	end
1129	1145	end
1130	1146	end
...	...	@@ -1234,6 +1250,7 @@ module ApplicationHelper
1234	1250	:href=>"#",
1235	1251	:title=>_("Exit full screen mode")
1236	1252	})
	1253	+ content.html_safe
1237	1254	end
1238	1255
1239	1256	end
...	...
...	...	@@ -3,13 +3,13 @@ module BlockHelper
3	3	def block_title(title, subtitle=nil)
4	4	block_header = block_heading title
5	5	block_header += block_heading(subtitle, 'h4') if subtitle
6		- content_tag 'div', block_header, :class => 'block-header'
	6	+ content_tag('div', block_header, :class => 'block-header').html_safe
7	7	end
8	8
9	9	def block_heading(title, heading='h3')
10	10	tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
11	11	tag_class += ' empty' if title.empty?
12		- content_tag heading, content_tag('span', h(title)), :class => tag_class
	12	+ content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
13	13	end
14	14
15	15	def highlights_block_config_image_fields(block, image={}, row_number=nil)
...	...
...	...	@@ -41,12 +41,12 @@ module BlogHelper
41	41	css_add << position
42	42	content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
43	43	content_tag 'div', class: position + '-inner blog-post-inner' do
44		- display_post(art, conf[:format]).html_safe +
45		- '<br style="clear:both"/>'.html_safe
	44	+ display_post(art, conf[:format]) +
	45	+ '<br style="clear:both"/>'
46	46	end
47		- end)
	47	+ end).html_safe
48	48	}
49		- content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
	49	+ safe_join(content, "\n<hr class='sep-posts'/>\n") + (pagination or '').html_safe
50	50	end
51	51
52	52	def display_post(article, format = 'full')
...	...	@@ -61,7 +61,8 @@ module BlogHelper
61	61	else
62	62	'<div class="post-pic" style="background-image:url('+img+')"></div>'
63	63	end
64		- end.to_s + title + html
	64	+ end.to_s.html_safe +
	65	+ title.html_safe + html
65	66	end
66	67
67	68	def display_compact_format(article)
...	...
...	...	@@ -38,7 +38,7 @@ module BoxOrganizerHelper
38	38	content_tag(:ul,
39	39	images_path.map do \|preview\|
40	40	content_tag(:li, image_tag(preview, height: '240', alt: ''))
41		- end.join("\n")
	41	+ end.join("\n").html_safe
42	42	)
43	43	end
44	44
...	...
...	...	@@ -44,7 +44,7 @@ module BoxesHelper
44	44
45	45	def display_boxes(holder, main_content)
46	46	boxes = holder.boxes.with_position.first(boxes_limit(holder))
47		- content = boxes.reverse.map { \|item\| display_box(item, main_content) }.join("\n")
	47	+ content = safe_join(boxes.reverse.map { \|item\| display_box(item, main_content) }, "\n")
48	48	content = main_content if (content.blank?)
49	49
50	50	content_tag('div', content, :class => 'boxes', :id => 'boxes' )
...	...	@@ -54,7 +54,7 @@ module BoxesHelper
54	54	if holder.respond_to?(element)
55	55	content_tag('div', holder.send(element), options)
56	56	else
57		- ''
	57	+ ''.html_safe
58	58	end
59	59	end
60	60
...	...	@@ -70,9 +70,10 @@ module BoxesHelper
70	70
71	71	def display_box_content(box, main_content)
72	72	context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
73		- box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do \|item\|
	73	+ blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do \|item\|
74	74	display_block item, main_content
75		- end.join("\n") + box_decorator.block_target(box)
	75	+ end
	76	+ safe_join(blocks, "\n") + box_decorator.block_target(box)
76	77	end
77	78
78	79	def select_blocks box, arr, context
...	...	@@ -136,17 +137,18 @@ module BoxesHelper
136	137
137	138	result = filter_html(result, block)
138	139
139		- content_tag('div',
140		- box_decorator.block_target(block.box, block) +
141		- content_tag('div',
142		- content_tag('div',
143		- content_tag('div',
144		- result + footer_content + box_decorator.block_edit_buttons(block),
145		- :class => 'block-inner-2'),
146		- :class => 'block-inner-1'),
147		- options),
148		- :class => 'block-outer') +
149		- box_decorator.block_handle(block)
	140	+ join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
	141	+ content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
	142	+
	143	+ content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
	144	+ content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
	145	+ content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
	146	+ c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
	147	+ box_decorator_result = box_decorator.block_handle(block)
	148	+ result_final = safe_join([c, box_decorator_result], "")
	149	+
	150	+
	151	+ return result_final
150	152	end
151	153
152	154	def wrap_main_content(content)
...	...	@@ -156,17 +158,17 @@ module BoxesHelper
156	158	def extract_block_content(content)
157	159	case content
158	160	when Hash
159		- content_tag('iframe', '', :src => url_for(content))
	161	+ content_tag('iframe', ''.html_safe, :src => url_for(content))
160	162	when String
161	163	if content.split("\n").size == 1 and content =~ /^https?:\/\//
162		- content_tag('iframe', '', :src => content)
	164	+ content_tag('iframe', ''.html_safe, :src => content)
163	165	else
164	166	content
165	167	end
166	168	when Proc
167	169	self.instance_eval(&content)
168	170	when NilClass
169		- ''
	171	+ ''.html_safe
170	172	else
171	173	raise "Unsupported content for block (#{content.class})"
172	174	end
...	...	@@ -175,14 +177,14 @@ module BoxesHelper
175	177	module DontMoveBlocks
176	178	# does nothing
177	179	def self.block_target(box, block = nil)
178		- ''
	180	+ ''.html_safe
179	181	end
180	182	# does nothing
181	183	def self.block_handle(block)
182		- ''
	184	+ ''.html_safe
183	185	end
184	186	def self.block_edit_buttons(block)
185		- ''
	187	+ ''.html_safe
186	188	end
187	189	def self.select_blocks box, arr, context
188	190	arr = arr.select{ \|block\| block.visible? context }
...	...	@@ -229,9 +231,9 @@ module BoxesHelper
229	231	# makes the given block draggable so it can be moved away.
230	232	def block_handle(block)
231	233	return "" unless movable?(block)
232		- icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>"
	234	+ icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>".html_safe
233	235	block_draggable("block-#{block.id}",
234		- :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}")
	236	+ :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}".html_safe)
235	237	end
236	238
237	239	def block_draggable(element_id, options={})
...	...	@@ -302,7 +304,7 @@ module BoxesHelper
302	304	buttons << modal_inline_icon(:embed, _('Embed code'), {}, "#embed-code-box-#{block.id}") << html
303	305	end
304	306
305		- content_tag('div', buttons.join("\n") + tag('br', :style => 'clear: left'), :class => 'button-bar')
	307	+ content_tag('div', buttons.join("\n").html_safe + tag('br', :style => 'clear: left'), :class => 'button-bar')
306	308	end
307	309
308	310	def current_blocks
...	...
...	...	@@ -15,9 +15,9 @@ module ButtonsHelper
15	15	end
16	16	the_title = html_options[:title] \|\| label
17	17	if html_options[:disabled]
18		- content_tag('a', ' '+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
	18	+ content_tag('a', ' '.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
19	19	else
20		- link_to(' '+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
	20	+ link_to(' '.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
21	21	end
22	22	end
23	23
...	...
...	...	@@ -19,18 +19,18 @@ module CatalogHelper
19	19	ancestors = category.ancestors.map { \|c\| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse
20	20	current_level = content_tag('strong', category.name)
21	21	all_items = [start] + ancestors + [current_level]
22		- content_tag('div', all_items.join(' → '), :id => 'breadcrumb')
	22	+ content_tag('div', safe_join(all_items, ' → '), :id => 'breadcrumb')
23	23	end
24	24
25	25	def category_link(category)
26	26	count = profile.products.from_category(category).count
27	27	name = truncate(category.name, :length => 22 - count.to_s.size)
28	28	link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)
29		- content_tag('div', "#{link} <span class=\"count\">#{count}</span>") if count > 0
	29	+ content_tag('div', "#{link} <span class=\"count\">#{count}</span>".html_safe) if count > 0
30	30	end
31	31
32	32	def category_with_sub_list(category)
33		- content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}"
	33	+ content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}".html_safe
34	34	end
35	35
36	36	def sub_category_list(category)
...	...	@@ -39,7 +39,7 @@ module CatalogHelper
39	39	cat_link = category_link sub_category
40	40	sub_categories << content_tag('li', cat_link) unless cat_link.nil?
41	41	end
42		- content_tag('ul', sub_categories.join) if sub_categories.size > 0
	42	+ content_tag('ul', sub_categories.join.html_safe) if sub_categories.size > 0
43	43	end
44	44
45	45	end
...	...