Merge branch 'new_security' into 'master'

Fixing html_safe for noosfero This MR treats of Noosfero's safe strings (with html_safe), because at the moment Noosfero treats all strings as safe, which allows users to inject malicious code. See merge request !859

Merge branch 'new_security' into 'master'
Fixing html_safe for noosfero This MR treats of Noosfero's safe strings (with html_safe), because at the moment Noosfero treats all strings as safe, which allows users to inject malicious code. See merge request !859
Braulio Bhavamitra
2 parents 05c93013 9172bf4b
Showing 115 changed files with 351 additions and 301 deletions Show diff stats
app/controllers/my_profile/cms_controller.rb
app/controllers/my_profile/profile_editor_controller.rb
app/helpers/action_tracker_helper.rb
app/helpers/application_helper.rb
app/helpers/block_helper.rb
app/helpers/blog_helper.rb
app/helpers/box_organizer_helper.rb
app/helpers/boxes_helper.rb
app/helpers/buttons_helper.rb
app/helpers/catalog_helper.rb
app/helpers/content_viewer_helper.rb
app/helpers/display_helper.rb
app/helpers/events_helper.rb
app/helpers/forms_helper.rb
app/helpers/forum_helper.rb
app/helpers/language_helper.rb
app/helpers/layout_helper.rb
app/helpers/manage_products_helper.rb
app/helpers/profile_editor_helper.rb
app/helpers/profile_image_helper.rb
@@ -108,7 +108,7 @@ class CmsController &lt; MyProfileController
   end
   def new
-    # FIXME this method should share some logic wirh edit !!!
+    # FIXME this method should share some logic with edit !!!
     @success_back_to = params[:success_back_to]
     # user must choose an article type first
@@ -365,7 +365,7 @@ class CmsController &lt; MyProfileController
   def search
     query = params[:q]
     results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
-    render :text => article_list_to_json(results), :content_type => 'application/json'
+    render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
   end
   def search_article_privacy_exceptions
@@ -29,6 +29,7 @@ class ProfileEditorController &lt; MyProfileController
         Image.transaction do
           begin
             @plugins.dispatch(:profile_editor_transaction_extras)
+            # TODO: This is unsafe! Add sanitizer
             @profile_data.update!(params[:profile_data])
             redirect_to :action => 'index', :profile => profile.identifier
           rescue Exception => ex
@@ -5,22 +5,22 @@ module ActionTrackerHelper
   end
   def new_friendship_description ta
-    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {
+    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
       num: ta.get_friend_name.size,
-      name: ta.collect_group_with_index(:friend_name) do |n,i|
+      name: safe_join(ta.collect_group_with_index(:friend_name) do |n,i|
         link_to image_tag(ta.get_friend_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/person-icon.png")),
                 ta.get_friend_url[i], title: n
-      end.join
+      end)
     }
   end
   def join_community_description ta
-    n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {
+    n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
       num: ta.get_resource_name.size,
       name: ta.collect_group_with_index(:resource_name) do |n,i|
-        link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
+       link = link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
                 ta.get_resource_url[i], title: n
-      end.join
+      end.join.html_safe
     }
   end
@@ -99,7 +99,6 @@ module ApplicationHelper
   #
   # TODO: implement correcly the 'Help' button click
   def help(content = nil, link_name = nil, options = {}, &block)
-
     link_name ||= _('Help')
     @help_message_id ||= 1
@@ -122,7 +121,7 @@ module ApplicationHelper
     button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
     close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
-    text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
+    text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
     unless block.nil?
       concat(text)
@@ -362,8 +361,8 @@ module ApplicationHelper
   def popover_menu(title,menu_title,links,html_options={})
     html_options[:class] = "" unless html_options[:class]
     html_options[:class] << " menu-submenu-trigger"
-    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
+    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false".html_safe
     link_to(content_tag(:span, title), '#', html_options)
   end
@@ -473,9 +472,9 @@ module ApplicationHelper
       map(&:role)
     names = []
     roles.each do |role|
-      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}")
+      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}").html_safe
     end
-    names.join(', ')
+    safe_join(names, ', ')
   end
   def role_color(role, env_id)
@@ -911,7 +910,8 @@ module ApplicationHelper
   end
   def admin_link
-    user.is_admin?(environment) ? link_to('<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
+    admin_icon = '<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>'
+    user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
   end
   def usermenu_logged_in
@@ -920,23 +920,39 @@ module ApplicationHelper
     if count > 0
       pending_tasks_count = link_to(count.to_s, user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
     end
+    user_identifier = "<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>"
+    welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
+    welcome_span = _("<span class='welcome'>Welcome,</span> %s") % welcome_link.html_safe
+    ctrl_panel_icon = '<i class="icon-menu-ctrl-panel"></i>'
+    ctrl_panel_section = '<strong>' + ctrl_panel_icon + _('Control panel') + '</strong>'
+    ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
+    logout_icon = '<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>'
+    logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+    join_result = safe_join(
+      [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
+        manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+        pending_tasks_count.html_safe, logout_link.html_safe], "")
+    join_result
+  end
-    (_("<span class='welcome'>Welcome,</span> %s") % link_to("<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
-    render_environment_features(:usermenu) +
-    admin_link +
-    manage_enterprises +
-    manage_communities +
-    link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
-    pending_tasks_count +
-    link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+  def usermenu_notlogged_in
+    login_str = '<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>'
+    ret = _("<span class='login'>%s</span>") % modal_inline_link_to(login_str.html_safe, login_url, '#inlineLoginBox', :id => 'link_login')
+    return ret.html_safe
   end
+  def usermenu_signup
+    signup_str = '<strong>' + _('Sign up') + '</strong>'
+    ret = _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to(signup_str.html_safe, :controller => 'account', :action => 'signup')
+    return ret.html_safe
+
+  end
   def limited_text_area(object_name, method, limit, text_area_id, options = {})
-    content_tag(:div, [
+    content_tag(:div, safe_join([
       text_area(object_name, method, { :id => text_area_id, :onkeyup => "limited_text_area('#{text_area_id}', #{limit})" }.merge(options)),
       content_tag(:p, content_tag(:span, limit) + ' ' + _(' characters left'), :id => text_area_id + '_left'),
       content_tag(:p, _('Limit of characters reached'), :id => text_area_id + '_limit', :style => 'display: none')
-    ].join, :class => 'limited-text-area')
+    ]), :class => 'limited-text-area')
   end
   def expandable_text_area(object_name, method, text_area_id, options = {})
@@ -1032,8 +1048,8 @@ module ApplicationHelper
   end
   def render_tabs(tabs)
-    titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
-    contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
+    titles = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
+    contents = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
     content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
   end
@@ -1051,7 +1067,7 @@ module ApplicationHelper
   def expirable_link_to(expired, content, url, options = {})
     if expired
       options[:class] = (options[:class] || '') + ' disabled'
-      content_tag('a', '&nbsp;'+content_tag('span', content), options)
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', content), options)
     else
       if options[:modal]
         options.delete(:modal)
@@ -1084,7 +1100,7 @@ module ApplicationHelper
     radios = templates.map do |template|
       content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template)))
-    end.join("\n")
+    end.join("\n").html_safe
     content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
       content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
@@ -1124,7 +1140,7 @@ module ApplicationHelper
     content_tag(:div, :class => 'errorExplanation', :id => 'errorExplanation') do
       content_tag(:h2, _('Errors while saving')) +
       content_tag(:ul) do
-        errors.map { |err| content_tag(:li, err) }.join
+        safe_join(errors.map { |err| content_tag(:li, err) })
       end
     end
   end
@@ -1234,6 +1250,7 @@ module ApplicationHelper
       :href=>"#",
       :title=>_("Exit full screen mode")
     })
+    content.html_safe
   end
 end
@@ -3,13 +3,13 @@ module BlockHelper
   def block_title(title, subtitle=nil)
     block_header = block_heading title
     block_header += block_heading(subtitle, 'h4') if subtitle
-    content_tag 'div', block_header, :class => 'block-header'
+    content_tag('div', block_header, :class => 'block-header').html_safe
   end
   def block_heading(title, heading='h3')
     tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
     tag_class += ' empty' if title.empty?
-    content_tag heading, content_tag('span', h(title)), :class => tag_class
+    content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
   end
   def highlights_block_config_image_fields(block, image={}, row_number=nil)
@@ -41,12 +41,12 @@ module BlogHelper
       css_add << position
       content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
         content_tag 'div', class: position + '-inner blog-post-inner' do
-          display_post(art, conf[:format]).html_safe +
-          '<br style="clear:both"/>'.html_safe
+          display_post(art, conf[:format])  +
+          '<br style="clear:both"/>'
         end
-      end)
+      end).html_safe
     }
-    content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
+    safe_join(content, "\n<hr class='sep-posts'/>\n") + (pagination or '').html_safe
   end
   def display_post(article, format = 'full')
@@ -61,7 +61,8 @@ module BlogHelper
       else
         '<div class="post-pic" style="background-image:url('+img+')"></div>'
       end
-    end.to_s + title + html
+    end.to_s.html_safe +
+    title.html_safe + html
   end
   def display_compact_format(article)
@@ -38,7 +38,7 @@ module BoxOrganizerHelper
     content_tag(:ul,
       images_path.map do |preview|
 	content_tag(:li, image_tag(preview, height: '240', alt: ''))
-      end.join("\n")
+      end.join("\n").html_safe
     )
   end
@@ -44,7 +44,7 @@ module BoxesHelper
   def display_boxes(holder, main_content)
     boxes = holder.boxes.with_position.first(boxes_limit(holder))
-    content = boxes.reverse.map { |item| display_box(item, main_content) }.join("\n")
+    content = safe_join(boxes.reverse.map { |item| display_box(item, main_content) }, "\n")
     content = main_content if (content.blank?)
     content_tag('div', content, :class => 'boxes', :id => 'boxes' )
@@ -54,7 +54,7 @@ module BoxesHelper
     if holder.respond_to?(element)
       content_tag('div', holder.send(element), options)
     else
-      ''
+      ''.html_safe
     end
   end
@@ -70,9 +70,10 @@ module BoxesHelper
   def display_box_content(box, main_content)
     context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
-    box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
+    blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
       display_block item, main_content
-    end.join("\n") + box_decorator.block_target(box)
+    end
+    safe_join(blocks, "\n") + box_decorator.block_target(box)
   end
   def select_blocks box, arr, context
@@ -136,17 +137,18 @@ module BoxesHelper
     result = filter_html(result, block)
-    content_tag('div',
-      box_decorator.block_target(block.box, block) +
-        content_tag('div',
-         content_tag('div',
-           content_tag('div',
-             result + footer_content + box_decorator.block_edit_buttons(block),
-             :class => 'block-inner-2'),
-           :class => 'block-inner-1'),
-       options),
-    :class => 'block-outer') +
-    box_decorator.block_handle(block)
+    join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
+    content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
+
+    content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
+    content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
+    content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
+    c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
+    box_decorator_result = box_decorator.block_handle(block)
+    result_final = safe_join([c, box_decorator_result], "")
+
+
+    return result_final
   end
   def wrap_main_content(content)
@@ -156,17 +158,17 @@ module BoxesHelper
   def extract_block_content(content)
     case content
     when Hash
-      content_tag('iframe', '', :src => url_for(content))
+      content_tag('iframe', ''.html_safe, :src => url_for(content))
     when String
       if content.split("\n").size == 1 and content =~ /^https?:\/\//
-        content_tag('iframe', '', :src => content)
+        content_tag('iframe', ''.html_safe, :src => content)
       else
         content
       end
     when Proc
       self.instance_eval(&content)
     when NilClass
-      ''
+      ''.html_safe
     else
       raise "Unsupported content for block (#{content.class})"
     end
@@ -175,14 +177,14 @@ module BoxesHelper
   module DontMoveBlocks
     # does nothing
     def self.block_target(box, block = nil)
-      ''
+      ''.html_safe
     end
     # does nothing
     def self.block_handle(block)
-      ''
+      ''.html_safe
     end
     def self.block_edit_buttons(block)
-      ''
+      ''.html_safe
     end
     def self.select_blocks box, arr, context
       arr = arr.select{ |block| block.visible? context }
@@ -229,9 +231,9 @@ module BoxesHelper
   # makes the given block draggable so it can be moved away.
   def block_handle(block)
     return "" unless movable?(block)
-    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>"
+    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>".html_safe
     block_draggable("block-#{block.id}",
-                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}")
+                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}".html_safe)
   end
   def block_draggable(element_id, options={})
@@ -302,7 +304,7 @@ module BoxesHelper
       buttons << modal_inline_icon(:embed, _('Embed code'), {}, "#embed-code-box-#{block.id}") << html
     end
-    content_tag('div', buttons.join("\n") + tag('br', :style => 'clear: left'), :class => 'button-bar')
+    content_tag('div', buttons.join("\n").html_safe + tag('br', :style => 'clear: left'), :class => 'button-bar')
   end
   def current_blocks
@@ -15,9 +15,9 @@ module ButtonsHelper
     end
     the_title = html_options[:title] || label
     if html_options[:disabled]
-      content_tag('a', '&nbsp;'+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
     else
-      link_to('&nbsp;'+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
+      link_to('&nbsp;'.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
     end
   end
@@ -19,18 +19,18 @@ module CatalogHelper
     ancestors = category.ancestors.map { |c| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse
     current_level = content_tag('strong', category.name)
     all_items = [start] + ancestors + [current_level]
-    content_tag('div', all_items.join(' &rarr; '), :id => 'breadcrumb')
+    content_tag('div', safe_join(all_items, ' &rarr; '), :id => 'breadcrumb')
   end
   def category_link(category)
     count = profile.products.from_category(category).count
     name = truncate(category.name, :length => 22 - count.to_s.size)
     link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)
-    content_tag('div', "#{link} <span class=\"count\">#{count}</span>") if count > 0
+    content_tag('div', "#{link} <span class=\"count\">#{count}</span>".html_safe) if count > 0
   end
   def category_with_sub_list(category)
-    content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}"
+    content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}".html_safe
   end
   def sub_category_list(category)
@@ -39,7 +39,7 @@ module CatalogHelper
       cat_link = category_link sub_category
       sub_categories << content_tag('li', cat_link) unless cat_link.nil?
     end
-    content_tag('ul', sub_categories.join) if sub_categories.size > 0
+    content_tag('ul', sub_categories.join.html_safe) if sub_categories.size > 0
   end
 end
@@ -7,7 +7,8 @@ module ContentViewerHelper
   def display_number_of_comments(n)
     base_str = "<span class='comment-count hide'>#{n}</span>"
     amount_str = n == 0 ? _('no comments yet') : (n == 1 ? _('One comment') : _('%s comments') % n)
-    base_str + "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str += "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str.html_safe
   end
   def number_of_comments(article)
@@ -19,11 +20,11 @@ module ContentViewerHelper
     title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog? || article.belongs_to_forum?
       unless args[:no_link]
-        title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
+        title = content_tag('h1', link_to(article.name, url_for(article.url)), :class => 'title')
       end
       comments = ''
       unless args[:no_comments] || !article.accept_comments
-        comments = (" - %s") % link_to_comments(article)
+        comments = (" - %s").html_safe % link_to_comments(article)
       end
       date_format = show_with_right_format_date article
       title << content_tag('span',
@@ -53,18 +53,19 @@ module DisplayHelper
   end
   def txt2html(txt)
-    txt.strip.
+    ret = txt.strip.
       gsub( /\s*\n\s*\n\s*/, "\r<p/>\r" ).
       gsub( /\s*\n\s*/, "\n<br/>\n" ).
       gsub( /\r/, "\n" ).
       gsub( /(^|\s)(www\.[^\s]+|https?:\/\/[^\s]+)/ ) do
         pre_char, href = $1, $2
         href = 'http://'+href  if ! href.match /^https?:/
-        content = href.gsub(/^https?:\/\//, '').scan(/.{1,4}/).join('&#x200B;')
+        content = safe_join(href.gsub(/^https?:\/\//, '').scan(/.{1,4}/), '&#x200B;'.html_safe)
         pre_char +
         content_tag(:a, content, :href => href, :target => '_blank',
-                    :rel => 'nofolow', :onclick => "return confirm('%s')" %
+                    :rel => 'nofolow', :onclick => "return confirm('%s')".html_safe %
                       _('Are you sure you want to visit this web site?'))
       end
+      ret.html_safe
   end
 end
 module EventsHelper
   include DatesHelper
+  include ActionView::Helpers::OutputSafetyHelper
+
   def list_events(date, events)
     title = _('Events for %s') % show_date_month(date)
+    user_events = events.select { |item| item.display_to?(user) }
+    events_for_month = safe_join(user_events.map {|item| display_event_in_listing(item)}, '')
     content_tag('h2', title) +
     content_tag('div',
       (events.any? ?
-        content_tag('table', events.select { |item| item.display_to?(user) }.map {|item| display_event_in_listing(item)}.join('')) :
-        content_tag('em', _('No events for this month'), :class => 'no-events')
+        content_tag('table', events_for_month) :
+          content_tag('em', _('No events for this month'), :class => 'no-events')
       ), :id => 'agenda-items'
     )
   end
@@ -101,7 +101,7 @@ module FormsHelper
   def required_fields_message
     content_tag('p', content_tag('span',
-      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory."),
+      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory.").html_safe,
       :class => 'required-field'
     ))
   end
@@ -112,10 +112,11 @@ module FormsHelper
     options_for_select = container.inject([]) do |options, element|
       text, value = option_text_and_value(element)
       selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
-      options << %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      opt = %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      options << opt.html_safe
     end
-    options_for_select.join("\n")
+    safe_join(options_for_select, "\n")
   end
   def balanced_table(items, per_row=3)
@@ -248,8 +249,8 @@ module FormsHelper
   def date_range_field(from_name, to_name, from_value, to_value, datepicker_options = {}, html_options = {})
     from_id = html_options[:from_id] || 'datepicker-from-date'
     to_id = html_options[:to_id] || 'datepicker-to-date'
-    return _('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
-    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))
+    return (_('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
+    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))).html_safe
   end
   def select_folder(label_text, field_id, collection, default_value=nil, html_options = {}, js_options = {})
@@ -35,7 +35,7 @@ module ForumHelper
                              :id => "post-#{art.id}"
                             )
     }
-    content_tag('table', content.join) + (pagination or '')
+    content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
   end
   def last_topic_update(article)
@@ -40,7 +40,7 @@ module LanguageHelper
         else
           link_to(name, params.merge(:lang => code), :rel => 'nofollow')
         end
-      end.join(separator)
+      end.join(separator).html_safe
       content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))
     end
   end
@@ -40,7 +40,8 @@ module LayoutHelper
     output += templete_javascript_ng.to_s
-    output
+    # This output should be safe!
+    output.html_safe
   end
   def noosfero_stylesheets
@@ -64,7 +65,9 @@ module LayoutHelper
       output << stylesheet_link_tag(global_css_pub)
     end
     output << stylesheet_link_tag(theme_stylesheet_path)
-    output.join "\n"
+
+    # This output should be safe!
+    output.join("\n").html_safe
   end
   def noosfero_layout_features
@@ -38,10 +38,11 @@ module ManageProductsHelper
   end
   def options_for_select_categories(categories, selected = nil)
-    categories.sort_by{|cat| cat.name.transliterate}.map do |category|
-      selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
-      "<option value='#{category.id}' title='#{category.name}' #{selected_attribute}>#{category.name + (category.leaf? ? '': ' &raquo;')}</option>"
-    end.join("\n")
+    safe_join(categories.sort_by{ |cat|
+      cat.name.transliterate}.map do |category|
+        selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
+          "<option value='#{category.id}' title='#{category.name}' #{selected_attribute}>#{category.name + (category.leaf? ? '': ' &raquo;')}</option>".html_safe
+    end, "\n")
   end
   def build_selects_for_ancestors(ancestors, current_category)
@@ -76,10 +77,13 @@ module ManageProductsHelper
   def categories_container(categories_selection_html, hierarchy_html = '')
     content_tag 'div',
-      render('categories_autocomplete') +
-      hidden_field_tag('selected_category_id') +
-      content_tag('div', hierarchy_html, :id => 'hierarchy_navigation') +
-      content_tag('div', categories_selection_html, :id => 'categories_container_wrapper'),
+      safe_join(
+        [
+          render('categories_autocomplete'),
+          hidden_field_tag('selected_category_id'),
+          content_tag('div', hierarchy_html, :id => 'hierarchy_navigation'),
+          content_tag('div', categories_selection_html, :id => 'categories_container_wrapper')
+        ], ''),
     :id => 'categories-container'
   end
@@ -129,7 +129,11 @@ module ProfileEditorHelper
     else
       domains = environment.domains
     end
-    labelled_form_field(_('Preferred domain name:'), select(object, :preferred_domain_id, domains.map {|item| [item.name, item.id]}, :prompt => '&lt;' + _('Select domain') + '&gt;'))
+    select_domain_prompt = '&lt;'.html_safe + _('Select domain').html_safe + '&gt;'.html_safe
+    select_field = select(object, :preferred_domain_id, domains.map {
+      |item| [item.name, item.id]}, :prompt => select_domain_prompt.html_safe)
+
+    labelled_form_field(_('Preferred domain name:'), select_field)
   end
   def control_panel(&block)
@@ -131,7 +131,7 @@ module ProfileImageHelper
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
                                    (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?
-                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +
+                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "").html_safe +
     link_to(
       content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
@@ -139,7 +139,7 @@ module ProfileImageHelper
       profile.url,
       :class => 'profile_link url',
       :help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
-      :title => profile.name ),
+      :title => profile.name ).html_safe,
       :class => 'vcard'), :class => 'common-profile-list-block')
   end
 end
@@ -124,10 +124,10 @@ module SearchHelper
   def filters(asset)
     return if !asset
     klass = asset_class(asset)
-    content_tag('div', klass::SEARCH_FILTERS.map do |name, options|
+    content_tag('div', safe_join(klass::SEARCH_FILTERS.map do |name, options|
       default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
       select_filter(name, options, default)
-    end.join("\n"), :id => 'search-filters')
+    end, "\n"), :id => 'search-filters')
   end
   def assets_menu(selected)
@@ -137,11 +137,11 @@ module SearchHelper
     #     menu.
     assets.delete(:events)
     content_tag('ul',
-      assets.map do |asset|
+      safe_join(assets.map do |asset|
         options = {}
         options.merge!(:class => 'selected') if selected.to_s == asset.to_s
         content_tag('li', asset_link(asset), options)
-      end.join("\n"),
+      end, "\n"),
     :id => 'assets-menu')
   end
@@ -58,7 +58,7 @@ module TagsHelper
       if options[:show_count]
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
-        link_to tag + display_count, destination, :style => style
+        link_to (tag + display_count).html_safe, destination, :style => style
       else
         link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
@@ -7,7 +7,7 @@ module TinymceHelper
     output += javascript_include_tag 'tinymce/js/tinymce/jquery.tinymce.min.js'
     output += javascript_include_tag 'tinymce.js'
     output += include_macro_js_files.to_s
-    output
+    output.html_safe
   end
   def tinymce_init_js options = {}
@@ -37,7 +37,7 @@ module TinymceHelper
     #cleanup non tinymce options
     options = options.except :mode
-    "noosfero.tinymce.init(#{options.to_json})"
+    "noosfero.tinymce.init(#{options.to_json})".html_safe
   end
   def menubar mode
@@ -86,7 +86,7 @@ class ApproveArticle &lt; Task
   def information
     if article
-      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.')}
+      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.').html_safe}
     else
       {:message => _("The article was removed.")}
     end
@@ -60,9 +60,9 @@ class CreateCommunity &lt; Task
   def information
     if description.blank?
-      { :message => _('%{requestor} wants to create community %{subject} with no description.') }
+      { :message => _('%{requestor} wants to create community %{subject} with no description.').html_safe }
     else
-      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>'),
+      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>').html_safe,
         :variables => {:description => description} }
     end
   end
@@ -163,7 +163,7 @@ class CreateEnterprise &lt; Task
   end
   def information
-    {:message => _('%{requestor} wants to create enterprise %{subject}.')}
+    {:message => _('%{requestor} wants to create enterprise %{subject}.').html_safe}
   end
   def reject_details
@@ -17,7 +17,7 @@ class DocItem
       else
         match
       end
-    end
+    end.html_safe
   end
   private
@@ -731,7 +731,7 @@ class Environment &lt; ApplicationRecord
     url << (Noosfero.url_options.key?(:host) ? Noosfero.url_options[:host] : default_hostname)
     url << ':' << Noosfero.url_options[:port].to_s if Noosfero.url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
   def to_s
@@ -13,7 +13,7 @@ class InviteFriend &lt; Invitation
   end
   def information
-    {:message => _('%{requestor} wants to be your friend.')}
+    {:message => _('%{requestor} wants to be your friend.').html_safe}
   end
   def accept_details
@@ -25,7 +25,7 @@ class InviteFriend &lt; Invitation
   end
   def target_notification_description
-    _('%{requestor} wants to be your friend.') % {:requestor => requestor.name}
+    (_('%{requestor} wants to be your friend.') % {:requestor => requestor.name}).html_safe
   end
   def permission
@@ -25,7 +25,7 @@ class InviteMember &lt; Invitation
   end
   def information
-    {:message => _('%{requestor} invited you to join %{linked_subject}.')}
+    {:message => _('%{requestor} invited you to join %{linked_subject}.').html_safe}
   end
   def url
@@ -37,7 +37,7 @@ class InviteMember &lt; Invitation
   end
   def target_notification_description
-    _('%{requestor} invited you to join %{community}.') % {:requestor => requestor.name, :community => community.name}
+    (_('%{requestor} invited you to join %{community}.') % {:requestor => requestor.name, :community => community.name}).html_safe
   end
   def target_notification_message
@@ -646,7 +646,7 @@ class Profile &lt; ApplicationRecord
     url << url_options[:host]
     url << ':' << url_options[:port].to_s if url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
 private :generate_url, :url_options
@@ -65,7 +65,7 @@ class SuggestArticle &lt; Task
   def information
     variables = requestor.blank? ? {:requestor => sender} : {}
-    { :message => _('%{requestor} suggested the publication of the article: %{subject}.'),
+    { :message => _('%{requestor} suggested the publication of the article: %{subject}.').html_safe,
       :variables => variables }
   end
@@ -78,7 +78,7 @@ class SuggestArticle &lt; Task
   end
   def target_notification_description
-    _('%{requestor} suggested the publication of the article: %{article}.') %
+    _('%{requestor} suggested the publication of the article: %{article}.').html_safe %
     {:requestor => sender, :article => article_name}
   end
@@ -107,7 +107,7 @@
     <%= render :partial => 'profile_editor/person_form', :locals => {:f => f} %>
   <% end %>
-  <%= @plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }, "") %>
   <%= template_options(:people, 'profile_data') %>
@@ -14,7 +14,7 @@
 <div id="enterprise-activation-create-user-form" style="display: none">
   <h3><%= _('Personal signup form') %></h3>
   <%= render :partial => 'signup_form', :locals => { :hidden_atention => true } %>
-  <p><%= message = _('<b>Warning</b>: this form is for your personal information, not of your enterprise. So you will have a personal account that can manage your enterprise.') %></p>
+  <p><%= message = _('<b>Warning</b>: this form is for your personal information, not of your enterprise. So you will have a personal account that can manage your enterprise.').html_safe %></p>
 </div>
 <div id="enterprise-activation-login-form" style="display: none">
 <h1><%= _("Invalid change password code") %></h1>
 <p>
-<%= _('The code you are using for password change is not valid. Please try to request password change using the <a href="%s">"I forgot my password"</a> functionality.') % url_for(:action => 'forgot_password') %>
+<%= _('The code you are using for password change is not valid. Please try to request password change using the <a href="%s">"I forgot my password"</a> functionality.') % url_for(:action => 'forgot_password').html_safe %>
 </p>
@@ -20,7 +20,7 @@
        </label>
      </div>
-     <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+     <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }, "") %>
      <% button_bar do %>
        <%= submit_button( 'login', _('Log in') )%>
@@ -15,7 +15,7 @@
       <%= f.password_field :password %>
-      <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+      <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }, "") %>
       <% button_bar do %>
         <%= submit_button( 'login', _('Log in') )%>
@@ -5,5 +5,5 @@
 </p>
 <p>
-<%= _("You can <a href='%s'>login</a> now.") % url_for(:action => 'login') %>
+<%= _("You can <a href='%s'>login</a> now.").html_safe % url_for(:action => 'login') %>
 </p>
@@ -6,7 +6,7 @@
       <%= content_tag('li', content_tag('strong', "#{year.to_i} (#{count})")) %>
       <ul class='<%= year.to_i %>-archive'>
         <% block.blog.total_number_of_posts(:by_month, year).each do |month, count| %>
-          <%= content_tag('li', link_to("#{month_name(month.to_i)} (#{count})", block.blog.url.merge(year: year.to_i, month: month.to_i))) %>
+          <%= content_tag('li', link_to("#{month_name(month.to_i)} (#{count})", url_for(block.blog.url.merge(year: year.to_i, month: month.to_i)).html_safe)) %>
         <% end %>
       </ul>
     <% end %>
@@ -8,7 +8,7 @@
       <%= block.sanitize_link(link_to(link[:name], block.expand_address(link[:address]),
                 :target => link[:target],
                 :class => (link[:icon] ? "icon-#{link[:icon]}" : ''),
-                :title => link[:title])) %>
+                :title => link[:title])).html_safe %>
     </li>
   <% end %>
 </ul>
@@ -3,7 +3,7 @@
     <h2><%= _('Logged in as %s') % user.identifier %></h2>
     <ul>
       <li><%= _('User since %s/%s') % [user.created_at.month, user.created_at.year] %></li>
-      <li><%= link_to _('Homepage'), user.public_profile_url %></li>
+      <li><%= link_to _('Homepage'), url_for(user.public_profile_url) %></li>
     </ul>
     <div class="user-actions">
       <%= button(:'menu-logout',  _('Logout'), :controller => 'account', :action => 'logout') %>
@@ -10,8 +10,8 @@
   <% if list.empty? %>
     <div class='common-profile-list-block-none'><%= _('None') %></div>
   <% else %>
-    <ul><%= list %></ul>
+    <ul><%= list.html_safe %></ul>
   <% end %>
 </div>
- 
+
 <br style='clear:both'/>
@@ -9,7 +9,8 @@
     first_text = articles[articles.find_index{|a| a.kind_of? TextArticle}||-1]
     selected = @block.article || first_text
   %>
-  <%= select_tag(
+  <%= 
+    select_tag(
     'block[article_id]',
     options_for_select_with_title(articles.map {|item| [item.path, item.id]}, selected.id),
     :onchange => 'this.changedTo(this.value)'
@@ -35,7 +35,7 @@
           <% else %>
             <div class="no-image"><%= _('No image') %></div>
           <% end %>
-          <div class="catalog-item-extras"><%= extra_content.join("\n") %></div>
+          <div class="catalog-item-extras"><%= safe_join(extra_content, "\n") %></div>
         </li>
         <li class="product-link"><%= link_to_product product %></li>
@@ -35,7 +35,7 @@
 <div id="article-formitem">
   <%= labelled_form_field( _('Address'),
         content_tag('code',
-          url_for(@article.url).gsub(/#{@article.slug}$/, '') +
+          url_for(@article.url).gsub(/#{@article.slug}$/, '').html_safe +
           text_field(:article, :slug, :onchange => "warn_value_change()", :size => 25)
         ) +
         content_tag('div',
@@ -14,7 +14,7 @@
     <p><%= _('Numbered lists:') %></p>
     <pre># <%= _('first item') %>
 # <%= _('second item') %></pre>
-    <p><%= h(_('For code, use HTML tags <pre> and <code>, and indent the code inside them:')) %>
+    <p><%= h(_('For code, use HTML tags <pre> and <code>, and indent the code inside them:').html_safe) %>
     </p>
     <pre>
 &lt;pre&gt;
@@ -23,7 +23,7 @@
 &lt;/code&gt;
 &lt;/pre&gt;
 </pre>
-    <p><%= _('See also a more complete <a href="%s">Textile Reference</a>.') % 'http://redcloth.org/hobix.com/textile/' %></p>
+    <p><%= _('See also a more complete <a href="%s">Textile Reference</a>.').html_safe % 'http://redcloth.org/hobix.com/textile/' %></p>
   </div>
 </div>
@@ -39,7 +39,7 @@
   <script>
     jQuery('#article_tag_list').inputosaurus({
-      autoCompleteSource: <%= "'/myprofile/#{profile.identifier}/cms/search_tags'," %>
+      autoCompleteSource: <%= "'/myprofile/#{profile.identifier}/cms/search_tags',".html_safe %>
       activateFinalResult : true
     })
   </script>
@@ -5,7 +5,7 @@
 <ul class="article-types">
   <% for type in @article_types %>
     <% action = type[:class].name == 'UploadedFile' ? {:action => 'upload_files'} : {:action => 'new', :type => type[:class].name} %>
-    <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to))) do %>
+    <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to)).html_safe) do %>
       <li class="<%= icon_for_new_article(type[:class]) %>" onmouseover="javascript: jQuery(this).addClass('mouseover')" onmouseout="jQuery(this).removeClass('mouseover')">
         <strong><%= type[:short_description] %></strong>
         <div class='description'><%= type[:description] %></div>
@@ -17,11 +17,11 @@
 <h3><%= _("Select the files you want to upload (max size %s):") % UploadedFile.max_size.to_humanreadable %></h3>
 <h4><%= _('Documents, Images, Videos, Audio') %></h4>
-<h5><%= _('Uploading files to %s') % content_tag('code', @target) %></h5>
+<h5><%= (_('Uploading files to %s') % content_tag('code', @target)).html_safe%></h5>
 <%= form_for('uploaded_file', :url => { :action => 'upload_files' }, :html => {:multipart => true}) do |f| %>
-  <%= @plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }, "") %>
   <%= render :partial => 'upload_file_form', :locals => { :size => '45'} %>
@@ -17,7 +17,7 @@
 <% button_bar(:style => 'margin-bottom: 1em;') do %>
   <% parent_id = ((@article && @article.allow_children?) ? @article : nil) %>
-  <%= modal_button('new', _('New content'), :action => 'new', :parent_id => parent_id, :cms => true) %>
+  <%= modal_button('new', _('New content'), url_for({:action => 'new', :parent_id => parent_id, :cms => true}).html_safe) %>
   <%= button(:back, _('Back to control panel'), :controller => 'profile_editor', :action => "index") %>
 <% end %>
@@ -26,7 +26,7 @@
     <strong><%= _('Current folder: ') %></strong>
     <%= link_to profile.identifier, :action => 'index' %>
     <% @article.hierarchy.each do |item| %>
-      <%= " / " + ((item == @article) ? item.name.html_safe : link_to(item.slug, :id => item.id).html_safe) %>
+      <%= " / ".html_safe + ((item == @article) ? item.name.html_safe : link_to(item.slug, :id => item.id).html_safe) %>
     <% end %>
   </div>
 <% end %>
@@ -45,9 +45,9 @@
     <tr>
       <td>
         <% if @article.parent %>
-          <%= link_to '.. (' + _('parent folder') + ')', {:action => 'view', :id => @article.parent.id}, :class => 'icon-parent-folder' %>
+          <%= link_to '.. ('.html_safe + _('parent folder') + ')', {:action => 'view', :id => @article.parent.id}, :class => 'icon-parent-folder' %>
         <% else %>
-          <%= link_to '.. (' + _('parent folder') + ')', {:action => 'index'}, :class => 'icon-parent-folder' %>
+          <%= link_to '.. ('.html_safe + _('parent folder') + ')', {:action => 'index'}, :class => 'icon-parent-folder' %>
         <% end %>
       </td>
       <td><%= Folder.short_description %></td>
@@ -43,7 +43,7 @@
         <p/>
         <%= txt2html comment.body %>
       </div>
-      <%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }.join("") %>
+      <%= safe_join(@plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }, "") %>
     </div>
     <div class="comment_reply post_comment_box closed" id="comment_reply_to_<%= comment.id %>">
@@ -85,7 +85,7 @@ function check_captcha(button, confirm_action) {
   <%= hidden_field_tag(:view, params[:view])%>
   <%= f.hidden_field(:reply_of_id) %>
-  <%= @plugins.dispatch(:comment_form_extra_contents, local_assigns.merge(:comment => @comment)).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:comment_form_extra_contents, local_assigns.merge(:comment => @comment)).collect { |content| instance_exec(&content) }, "") %>
   <% button_bar do %>
     <%= submit_button('add', _('Post comment'), :onclick => "if(check_captcha(this)) { save_comment(this) } else { check_captcha(this, save_comment)};return false;") %>
@@ -26,7 +26,7 @@
         <% content = _('Add translation') %>
         <% parent_id = (@page.folder? ? @page : (@page.parent.nil? ? nil : @page.parent)) %>
         <% url = profile.admin_url.merge(:controller => 'cms', :action => 'new', :parent_id => parent_id, :type => @page.type, :article => { :translation_of_id => @page.native_translation.id })%>
-        <%= expirable_button @page, :locale, content, url %>
+        <%= expirable_button @page, :locale, content, url_for(url).html_safe %>
       <% end %>
       <% if !@page.archived? %>
@@ -67,7 +67,7 @@
       <div class="blog-cover"><%= image_tag(@page.image.public_filename())%></div>
     <% end %>
     <%= button_without_text(:feed, _('RSS feed'), @page.feed.url, :class => 'blog-feed-link') if @page.has_posts? && @page.feed %>
-    <%= @plugins.dispatch(:article_header_extra_contents, @page).collect { |content| instance_exec(&content) }.join("") %>
+    <%= safe_join(@plugins.dispatch(:article_header_extra_contents, @page).collect { |content| instance_exec(&content) }) %>
     <% if @page.archived? %>
       <%= render :partial => 'cms/archived_warning', :locals => {:article => @page} %>
     <% end %>
@@ -7,7 +7,7 @@
   </span>
 <% unless @no_comments %>
   <span class="comments">
-    <%= (" - %s") % link_to_comments(@page)%>
+    <%= (" - %s").html_safe % link_to_comments(@page) %>
   </span>
 <% end %>
@@ -35,7 +35,7 @@
       </div>
     <% end %>
     <div class="event-content">
-      <%= event.body %>
+      <%= raw event.body %>
     </div>
   <% end %>
 </div>
@@ -2,9 +2,9 @@
 <%= button(:back, _('Back to the versions'), {:action => 'article_versions'}) %>
 </div>
-<h1><%= _('Changes on "%s"') % @page.title %></h1>
+<h1><%= _('Changes on "%s"').html_safe % @page.title %></h1>
-<p> <%= _('Changes from %s &rarr; %s') % [show_time(@v1.updated_at), show_time(@v2.updated_at)] %> </p>
+<p> <%= _('Changes from %s &rarr; %s').html_safe % [show_time(@v1.updated_at), show_time(@v2.updated_at)] %> </p>
 <% diffContent = Diffy::Diff.new(@v1.body, @v2.body, :context => 1) %>
 <% if diffContent.to_s(:text).blank? %>
@@ -12,5 +12,5 @@
     <%= _('These versions range have no differences.')%>
   </p>
 <% else %>
-  <%= diffContent.to_s(:html) %>
+  <%= diffContent.to_s(:html).html_safe %>
 <% end %>
@@ -45,24 +45,24 @@
 <% if ! @page.categories.empty? %>
 <div id="article-cat">
   <h4><%= _('Categories') %></h4>
-    <%= @page.categories.map {|item| link_to_category(item, false) }.join(", ") %>
+    <%= safe_join(@page.categories.map {|item| link_to_category(item, false) }, ", ") %>
 </div>
 <% end %>
 <% if !@page.tags.empty? %>
   <div id="article-tags">
-    <%= _("This article's tags:") %>
-    <%= @page.tags.map { |t| link_to(t, :controller => 'profile', :profile => @profile.identifier, :action => 'tags', :id => t.name ) }.join("\n") %>
+    <%= _("This article's tags:").html_safe %>
+    <%= safe_join(@page.tags.map { |t| link_to(t, :controller => 'profile', :profile => @profile.identifier, :action => 'tags', :id => t.name ) }, "\n") %>
   </div>
 <% end %>
 <%= display_source_info(@page) %>
-<%= @plugins.dispatch(:article_extra_contents, @page).collect { |content| instance_exec(&content) }.join("") %>
+<%= safe_join(@plugins.dispatch(:article_extra_contents, @page).collect { |content| instance_exec(&content) }, "") %>
 <% if @page.accept_comments? || @comments_count > 0 %>
   <div class="comments" id="comments_list">
-    <h3 <%= 'class="no-comments-yet"' if @comments_count == 0 %>>
+    <h3 <%= 'class="no-comments-yet"'.html_safe if @comments_count == 0 %>>
       <%= display_number_of_comments(@comments_count) %>
     </h3>
@@ -5,5 +5,5 @@
       <li><%= link_to text, link, :target => '_blank' %></li>
     <% end %>
   </ul>
-  <%= @toc.text %>
+  <%= raw @toc.text %>
 </div>
@@ -5,7 +5,7 @@
 <p>
 <%=  _('Here you can enable or disable several features of your environment. Each feature represents some funcionality that your environment can use if you enable it.
-Check all the features you want to enable for your environment, uncheck all the ones you don\'t want, and use the <em>"Save changes" button</em> to confirm your changes.') %>
+Check all the features you want to enable for your environment, uncheck all the ones you don\'t want, and use the <em>"Save changes" button</em> to confirm your changes.').html_safe %>
 </p>
 <%= labelled_form_for(:environment, :url => {:action => 'update'}) do |f| %>
@@ -7,7 +7,7 @@
           <div class='highlighted-news-item post-<%= index + 1 %>-inner'>
             <h2><%= link_to(h(highlighted.title), highlighted.url, :class => 'post-title') %></h2>
             <span class="post-date"><%= show_date(highlighted.published_at, true) %> </span>
-            <div class='headline'><%= highlighted.lead %></div>
+            <div class='headline'><%= raw highlighted.lead %></div>
             <p class='highlighted-news-read-more'>
               <%= link_to(_('Read more'), highlighted.url) %>
             </p>
@@ -49,7 +49,7 @@
     <% end %>
   <% end %>
 <% else %>
-  <%= environment.description %>
+  <%= environment.description.html_safe %>
 <% end %>
 <% if environment.enabled?('search_in_home') %>
@@ -3,12 +3,12 @@
 <%= form_tag do %>
-  <%= [
+  <%= safe_join([
         radio_button_tag(:import_from, "manual", @import_from == "manual", :onclick => 'hide_invite_friend_login_password()') + content_tag('label', _('Manually (empty field)'), :for => "import_from_manual"),
         radio_button_tag(:import_from, "gmail", @import_from == "gmail", :onclick => 'show_invite_friend_login_password(this.value)') + content_tag('label', 'Gmail', :for => 'import_from_gmail'),
         radio_button_tag(:import_from, "yahoo", @import_from == "yahoo", :onclick => 'show_invite_friend_login_password(this.value)') + content_tag('label', 'Yahoo', :for => "import_from_yahoo"),
         radio_button_tag(:import_from, "hotmail", @import_from == "hotmail", :onclick => 'show_invite_friend_login_password(this.value)') + content_tag('label', 'Hotmail', :for => "import_from_hotmail")
-      ].join("\n<br/>\n") %>
+      ], "\n<br/>\n".html_safe) %>
   <script type="text/javascript">
     function hide_invite_friend_login_password() {
@@ -7,22 +7,23 @@
     </span>
   <% else %>
     <span class='not-logged-in'>
-      <%= _("<span class='login'>%s</span>") % modal_inline_link_to('<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>', login_url, '#inlineLoginBox', :id => 'link_login') %>
-      <%= @plugins.dispatch(:alternative_authentication_link).collect { |content| instance_exec(&content) }.join("") %>
+      <%= usermenu_notlogged_in %>
+      <% @plugins.dispatch(:alternative_authentication_link).collect do |content|%>
+         <%= instance_exec(&content) %> 
+      <%end%>
-    <div id='inlineLoginBox' style='display: none;'>
-      <%= render :file => 'account/login', :locals => { :is_popin => true } %>
-    </div>
+      <div id='inlineLoginBox' style='display: none;'>
+        <%= render :file => 'account/login', :locals => { :is_popin => true } %>
+      </div>
-    <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
-      <%= _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to('<strong>' + _('Sign up') + '</strong>', :controller => 'account', :action => 'signup')%>
-    <% end %>
-
-  </span>
+      <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
+        <%= usermenu_signup %>
+      <% end %>
+    </span>
   <% end %>
   <form action="/search/articles" id="top-search" class="search_form clean" method="get">
     <input name="query" size="15" title="<%=_('Search...')%>" onfocus="this.form.className='focused';" onblur="this.form.className=''" />
-    <div><%=_('Press <strong>Enter</strong> to send the search query.')%></div>
+    <div><%=_('Press <strong>Enter</strong> to send the search query.').html_safe%></div>
     <%= javascript_tag 'jQuery("#user form input").hint();' %>
   </form>
 </div><!-- end id="user" -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>" class="<%= h html_tag_classes %>">
   <head>
-    <title><%= h page_title %></title>
+    <title><%= h page_title.html_safe %></title>
     <%= yield(:feeds) %>
     <!--<meta http-equiv="refresh" content="1"/>-->
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
@@ -20,24 +20,33 @@
     <%# Add custom tags/styles/etc via content_for %>
     <%= yield :head %>
     <%=
-      @plugins.dispatch(:head_ending).map do |content|
-        if content.respond_to?(:call) then instance_exec(&content).to_s.html_safe else content.to_s.html_safe end
-      end.join("\n")
+      str = (@plugins.dispatch(:head_ending).map do |content|
+              if content.respond_to?(:call) then 
+                instance_exec(&content).to_s
+              else 
+                content.to_s
+              end
+            end)
+      safe_join(str, "\n")
     %>
     <script type="text/javascript">
-      DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
-      noosfero.profile = <%= (@profile.identifier if @profile).to_json %>
+      DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'".html_safe %>;
+      noosfero.profile = <%= (@profile.identifier if @profile).to_json.html_safe %>
     </script>
   </head>
   <body class="<%= h body_classes %>">
     <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
-
     <%=
-      @plugins.dispatch(:body_beginning).map do |content|
-        if content.respond_to?(:call) then instance_exec(&content).to_s.html_safe else content.to_s.html_safe end
-      end.join("\n")
+      str = (@plugins.dispatch(:body_beginning).map do |content|
+              if content.respond_to?(:call) then 
+                instance_exec(&content).to_s
+              else 
+                content.to_s 
+              end
+            end)
+      safe_join(str, "\n")
     %>
     <div id="global-header">
       <%= global_header %>
@@ -75,9 +84,14 @@
     <%= noosfero_layout_features %>
     <%= addthis_javascript %>
     <%=
-      @plugins.dispatch(:body_ending).map do |content|
-        if content.respond_to?(:call) then instance_exec(&content).html_safe else content.html_safe end
-      end.join("\n")
+      str = (@plugins.dispatch(:body_ending).map do |content|
+              if content.respond_to?(:call) then 
+                instance_exec(&content)
+              else 
+                content
+              end
+            end)
+      safe_join(str, "\n")
     %>
   </body>
 </html>
@@ -16,7 +16,7 @@
   <% if profile.user.enable_email %>
     <h2><%= ('E-mail address') %></h2>
     <ul>
-      <%= profile.email_addresses.map{|i| content_tag('li', i)}.join("\n") %>
+      <%= safe_join(profile.email_addresses.map{|i| content_tag('li', i)}, "\n") %>
     </ul>
     <h2><%= _('Configuration') %></h2>
     <ul>
@@ -31,7 +31,7 @@
   <% else %>
     <h2><%= _("Enable e-Mail account below:") %></h2>
-    <ul><%= profile.email_addresses.map{|i| content_tag('li', i)}.join("\n") %></ul>
+    <ul><%= safe_join(profile.email_addresses.map{|i| content_tag('li', i)}, "\n") %></ul>
     <blockquote><%= _("You'll be able to access a webmail from your user menu.") %></blockquote>
     <% button_bar do %>
       <%= button(:ok, _('Enable e-Mail'), { :action => 'enable' }, :method => 'post') %>
@@ -4,7 +4,7 @@
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
   </head>
   <body style="margin: 0">
-    <%= word_wrap(@message) %>
+    <%= raw word_wrap(@message) %>
     <p>
       --<br/>
       <%= @signature_message %><br/>
@@ -14,7 +14,7 @@
     </div>
     <div id='product-extra-content'>
       <% extra_content = @plugins.dispatch(:product_info_extras, @product).collect { |content| instance_exec(&content) } %>
-      <%= extra_content.join("\n") %>
+      <%= safe_join(extra_content, "\n") %>
     </div>
     <div id='product-info'>
       <%= render :partial => 'manage_products/display_info' %>
@@ -34,13 +34,13 @@
   <div style='margin-bottom: 0.5em' id='community-join-before'>
     <%= radio_button 'community', 'closed', 'true', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).') %>
+      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).').html_safe %>
     </div>
   </div>
   <div id='community-join-after'>
     <%= radio_button 'community', 'closed', 'false', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).') %>
+      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).').html_safe %>
     </div>
   </div>
@@ -2,7 +2,7 @@
 <%= _("You have %d pending task(s).") % @tasks.size %>
-<%= @tasks.map{|i| " * #{i.description}"}.join("\n") %>
+<%= safe_join(@tasks.map{|i| " * #{i.description}"}, "\n") %>
 <%= _("Click in address below to process task(s):") %>
@@ -11,7 +11,7 @@
 <% pending_tasks = @person.pending_tasks_for_organization(organization) %>
 <%= _("%s has %d pending task(s).") % [organization.name, pending_tasks.size] %>
-<%= pending_tasks.map{|i| " * #{i.information}"}.join("\n") %>
+<%= safe_join(pending_tasks.map{|i| " * #{i.information}"}, "\n") %>
 <%= _("Click in address below to process task(s):") %>
@@ -20,6 +20,6 @@
   <%= pagination_links @tagged, :param_name => 'npage' %>
   <div>
-    <%= link_to _('See content tagged with "%s" in the entire site') % escaped_tag, :controller => 'search', :action => 'tag', :tag => @tag %>
+    <%= link_to (_('See content tagged with "%s" in the entire site') % escaped_tag).html_safe, :controller => 'search', :action => 'tag', :tag => @tag %>
   </div>
 <% end %>
@@ -5,7 +5,7 @@
 <% else %>
   <% unless profile.description.blank? %>
     <div class='public-profile-description'>
-      <%= profile.description %>
+      <%= raw profile.description %>
     </div>
   <% end %>
   <div id='public-profile-search'>
@@ -34,13 +34,13 @@
   <div style='margin-bottom: 0.5em'>
     <%= radio_button 'profile_data', 'closed', 'true', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).') %>
+      <%= _('<strong>Before</strong> joining this group (a moderator has to accept the member in pending request before member can access the intranet and/or the website).').html_safe %>
     </div>
   </div>
   <div>
     <%= radio_button 'profile_data', 'closed', 'false', :style => 'float: left' %>
     <div style='margin-left: 30px'>
-      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).') %>
+      <%= _('<strong>After</strong> joining this group (a moderator can always desactivate access for users later).').html_safe %>
     </div>
   </div>
   <br>
@@ -52,13 +52,13 @@
 <div style='margin-bottom: 0.5em'>
   <%= radio_button 'profile_data', 'moderated_articles', 'true', :style => 'float: left' %>
   <div style='margin-left: 30px'>
-    <%= _('<strong>Before</strong> being published in this group (a moderator has to accept the article in pending request before the article be listed as a article of this group).') %>
+    <%= _('<strong>Before</strong> being published in this group (a moderator has to accept the article in pending request before the article be listed as a article of this group).').html_safe %>
   </div>
 </div>
 <div>
   <%= radio_button 'profile_data', 'moderated_articles', 'false', :style => 'float: left' %>
   <div style='margin-left: 30px'>
-    <%= _('<strong>After</strong> being published in this group (a moderator can always remove publicated articles later).') %>
+    <%= _('<strong>After</strong> being published in this group (a moderator can always remove publicated articles later).').html_safe %>
   </div>
 </div>
@@ -4,7 +4,7 @@
   <%= required f.text_field(:name) %>
-  <%= @plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }, "") %>
 <% if @environment.enabled?('enable_organization_url_change') %>
   <script type="text/javascript">
@@ -41,7 +41,7 @@
     <div id="profile-identifier-formitem">
       <%= required labelled_form_field( _('Address'),
             content_tag('code',
-              url_for(profile.url).gsub(/#{profile.identifier}$/, '') +
+              url_for(profile.url).gsub(/#{profile.identifier}$/, '').html_safe +
               text_field(:profile_data, :identifier, :onchange => "warn_value_change()", :size => 25)
             ) +
             content_tag('div',
@@ -4,7 +4,7 @@
   <div class='pending-tasks'>
     <h2><%= _('You have pending requests') %></h2>
     <ul>
-      <%= @pending_tasks.map {|task| content_tag('li', task_information(task))}.join %>
+      <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task))}) %>
     </ul>
     <%= button(:todo, _('Process requests'), :controller => 'tasks', :action => 'index') %>
   </div>
@@ -16,7 +16,7 @@
     </div>
   </div>
-  <%= @plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+  <%= safe_join(@plugins.dispatch(:profile_info_extra_contents).collect { |content| instance_exec(&content) }, "") %>
   <div class="formfieldline">
     <%= label_tag("private_token", _("Private Token")) %>
@@ -26,20 +26,20 @@
   <% if profile.person? %>
     <div>
-      <%= labelled_radio_button _('Public &mdash; show my contents to all internet users'), 'profile_data[public_profile]', true, @profile.public_profile? %>
+      <%= labelled_radio_button _('Public &mdash; show my contents to all internet users').html_safe, 'profile_data[public_profile]', true, @profile.public_profile? %>
     </div>
     <div>
-      <%= labelled_radio_button _('Private &mdash; show my contents only to friends'), 'profile_data[public_profile]', false, !@profile.public_profile? %>
+      <%= labelled_radio_button _('Private &mdash; show my contents only to friends').html_safe, 'profile_data[public_profile]', false, !@profile.public_profile? %>
     </div>
   <% else %>
     <div>
-      <%= labelled_check_box _("Secret &mdash; hide the community and all its contents for non members and other people can't join this community unless they are invited to."), 'profile_data[secret]', true, profile.secret, :class => "profile-secret-box" %>
+      <%= labelled_check_box _("Secret &mdash; hide the community and all its contents for non members and other people can't join this community unless they are invited to.").html_safe, 'profile_data[secret]', true, profile.secret, :class => "profile-secret-box" %>
     </div>
     <div>
-      <%= labelled_radio_button _('Public &mdash; show content of this group to all internet users'), 'profile_data[public_profile]', true, @profile.public_profile?, :class => "public-community-button" %>
+      <%= labelled_radio_button _('Public &mdash; show content of this group to all internet users').html_safe, 'profile_data[public_profile]', true, @profile.public_profile?, :class => "public-community-button" %>
     </div>
     <div>
-      <%= labelled_radio_button _('Private &mdash; show content of this group only to members'), 'profile_data[public_profile]', false, !@profile.public_profile?, :class => "private-community-button" %>
+      <%= labelled_radio_button _('Private &mdash; show content of this group only to members').html_safe, 'profile_data[public_profile]', false, !@profile.public_profile?, :class => "private-community-button" %>
     </div>
   <% end %>
@@ -60,9 +60,9 @@
   )%>
   <%=
-    @plugins.dispatch(:profile_editor_extras).map do |content|
+    safe_join(@plugins.dispatch(:profile_editor_extras).map do |content|
       content.kind_of?(Proc) ? self.instance_exec(&content) : content
-    end.join("\n")
+    end, "\n")
   %>
   <%= select_categories(:profile_data, _('Select the categories of your interest'), 2) %>
@@ -7,7 +7,7 @@
         <p><%= _('Roles:') %> </p>
         <% @data[:roles].each do |r| %>
-          <%= labelled_check_box(r.name, 'filters[roles][]', r.id, @filters[:roles].include?(r.id.to_s), :add_hidden => false) %><br/>
+          <%= raw labelled_check_box(r.name, 'filters[roles][]', r.id, @filters[:roles].include?(r.id.to_s), :add_hidden => false) %><br/>
         <% end %>
         <p>
           <%= submit_button(:search, _('Search')) %>
@@ -2,7 +2,7 @@
 <div class="search-article-author-changes">
   <% if article.last_changed_by and article.last_changed_by != article.profile %>
-    <span><%= _('Updated by %{name} at %{date}') % {:name => link_to(article.last_changed_by.name, article.last_changed_by.url),
+    <span><%= _('Updated by %{name} at %{date}').html_safe % {:name => link_to(article.last_changed_by.name, article.last_changed_by.url),
       :date => show_date(article.updated_at) } %></span>
   <% else %>
     <span><%= _('Last update: %s.') % show_date(article.updated_at) %></span>
 <% extra_content = @plugins.dispatch(:asset_product_extras, product).collect { |content| instance_exec(&content) } %>
-<% extra_properties = @plugins.dispatch(:asset_product_properties, product)%>
+<% extra_properties = @plugins.dispatch(:asset_product_properties, product) %>
 <li class="search-product-item <%= 'highlighted' if product.highlighted? %>">
@@ -77,9 +77,9 @@
   <div style="clear: both"></div>
-  <%= extra_content.join('\n') %>
+  <%= safe_join(extra_content, '\n') %>
   <% extra_properties.each do |property| %>
-    <div><%= property[:name] + ': ' + instance_exec(&property[:content]) %></div>
+    <div><%= ''.html_safe + property[:name] + ': ' + instance_exec(&property[:content]) %></div>
   <% end %>
 </li>
 <h2>
-  <%= _('Tagged with "%s"') % content_tag('code', @tag) %>
+  <%= _('Tagged with "%s"').html_safe % content_tag('code', @tag) %>
 </h2>
 <% button_bar do %>
@@ -6,9 +6,9 @@
       </div>
       <span class='profile-details'>
         <strong><%= group.name %></strong><br/>
-        <%= _('Role: %s') % rolename_for(profile, group) + '<br/>' if profile.role_assignments.find_by(resource_id: group.id) %>
+        <%= raw _('Role: %s') % rolename_for(profile, group) + '<br/>' if profile.role_assignments.find_by(resource_id: group.id) %>
         <%= _('Type: %s') % _(group.class.identification) %> <br/>
-        <%= _('Description: %s') % group.description  + '<br/>' if group.community? %>
+        <%= raw _('Description: %s') % group.description  + '<br/>' if group.community? %>
         <%= _('Members: %s') % group.members_count.to_s %> <br/>
         <%= _('Created at: %s') % show_date(group.created_at) unless group.enterprise? %> <br/>
         <% button_bar do %>
 <%= content = _("Roles:")+"<br />"
 roles = Profile::Roles.organization_member_roles(task.target.environment.id) + profile.custom_roles
 roles.each do |role|
-  content += labelled_check_box(role.name, "tasks[#{task.id}][task][roles][]", role.id, false)+"<br />"
+  content += labelled_check_box(role.name, "tasks[#{task.id}][task][roles][]", role.id, false) + "<br />".html_safe
 end
-content_tag('p', content, :class => 'member-classify-suggestion')
+content_tag('p', content.html_safe, :class => 'member-classify-suggestion').html_safe
 %>
@@ -3,7 +3,7 @@
   if icon_info[:type] == :profile_image
     icon = profile_image(icon_info[:profile], :minor)
   elsif icon_info[:type] == :defined_image
-    icon = "<img src='#{icon_info[:src]}' alt='#{icon_info[:name]}' />"
+    icon = "<img src='#{icon_info[:src]}' alt='#{icon_info[:name]}' />".html_safe
   end
   if icon_info[:url]
@@ -3,7 +3,7 @@
 <ul>
   <% @tasks.each do |task| %>
     <li>
-      <strong><%= task.respond_to?(:title) ? link_to( task.title, :action => 'ticket_details', :id => task.id) : task.information %></strong><br/>
+      <strong><%= task.respond_to?(:title) ? link_to( task.title, :action => 'ticket_details', :id => task.id).html_safe : task.information %></strong><br/>
       <small>
         <%= _('Created:') + ' ' + show_date(task.created_at) %>
         &nbsp; &#151; &nbsp;
@@ -1,10 +0,0 @@
-#From: https://github.com/coletivoEITA/noosfero-ecosol/blob/57908cde4fe65dfe22298a8a7f6db5dba1e7cc75/config/initializers/html_safe.rb
-
-# Disable Rails html autoescaping. This is due to noosfero using too much helpers/models to output html.
-# It it would change too much code and make it hard to maintain.
-# FIXME THIS IS SO WRONG
-class Object
-  def html_safe?
-    true
-  end
-end
@@ -611,7 +611,7 @@ class Noosfero::Plugin
   end
   # -> Perform extra transactions related to profile in profile editor
-  # returns = true in success or raise and exception if it could not update the data
+  # returns = true in success or raise an exception if it could not update the data
   def profile_editor_transaction_extras
     nil
   end
@@ -49,7 +49,7 @@ class BreadcrumbsPlugin::ContentBreadcrumbsBlock &lt; Block
   def content(args={})
     block = self
-    proc do
+    ret = (proc do
       trail = block.trail(@page, @profile, params)
       if !trail.empty?
         separator = content_tag('span', ' > ', :class => 'separator')
@@ -63,11 +63,12 @@ class BreadcrumbsPlugin::ContentBreadcrumbsBlock &lt; Block
           breadcrumb << content_tag('div', section_name, :class => 'section-name')
         end
-        breadcrumb
+        breadcrumb.html_safe
       else
         ''
       end
-    end
+    end)
+    ret
   end
   def cacheable?
@@ -23,7 +23,7 @@
       <%= link_to(
             content_tag('span','',:class => 'community-block-button icon-arrow'),
             '#',
-            :onclick => "toggleSubmenu(this,'',#{CGI::escapeHTML(links.to_json)}); return false;",
+            :onclick => "toggleSubmenu(this,'',#{CGI::escapeHTML(links.to_json)}); return false;".html_safe,
             :class => 'simplemenu-trigger') %>
       <% end %>
@@ -86,15 +86,16 @@ class ContextContentPlugin::ContextContentBlock &lt; Block
   def content(args={})
     block = self
-    proc do
+    ret = proc do
       contents = block.contents(@page)
       parent_title = block.parent_title(contents)
-      if !contents.blank?
+      if contents.present?
         render(:file => 'blocks/context_content', :locals => {:block => block, :contents => contents, :parent_title => parent_title})
       else
         ''
       end
     end
+    ret
   end
   def cacheable?
@@ -6,9 +6,9 @@
 <% if @submission.id.nil? %>
   <% if @form.expired? %>
     <% if @form.will_open? %>
-      <h2><%= _('Sorry, you can\'t fill this form yet') %></h2>
+      <h2><%= _('Sorry, you can\'t fill this form yet').html_safe %></h2>
     <% else %>
-      <h2><%= _('Sorry, you can\'t fill this form anymore') %></h2>
+      <h2><%= _('Sorry, you can\'t fill this form anymore').html_safe %></h2>
     <% end %>
   <% end %>
@@ -177,9 +177,9 @@ class DisplayContentBlock &lt; Block
           content_sections += read_more_section if !read_more_section.blank?
 #raise sections.inspect
-          content_tag('li', content_sections)
+          content_tag('li', content_sections.html_safe)
         end
-      }.join(" "))
+      }.join(" ").html_safe)
     end
   end
@@ -3,11 +3,11 @@
   ev_days_tag = ''
   if event.duration > 1
     ev_days_tag = content_tag('time',
-      n_('Duration: 1 day', 'Duration: %s days', event.duration) % "<b>#{event.duration}</b>",
+      n_('Duration: 1 day', 'Duration: %s days', event.duration).html_safe % "<b>#{event.duration}</b>".html_safe,
       :itemprop => 'endDate',
       :datetime => show_date(event.end_date) + 'T00:00',
       :class => 'duration',
-      :title => show_date(event.start_date) + ' &mdash; ' + time_left_str
+      :title => (show_date(event.start_date) + ' &mdash; ' + time_left_str).html_safe
     )
   end
@@ -16,7 +16,7 @@
   img_class = img.blank? ? 'no-img' : 'has-img'
 %>
 <%=
-  link_to([
+  link_to(safe_join([
       content_tag('time',
         block.date_to_html(event.start_date),
         :itemprop => 'startDate',
@@ -33,7 +33,7 @@
                   :itemtype => 'http://schema.org/Place',
                   :itemprop => :location),
       content_tag('span', time_left_str, :class => 'days-left ' + time_class)
-    ].join("\n"),
+    ], "\n"),
     (event.link.blank? ? event.url : event.link),
     :class => 'ev-days-' + event.duration.to_s,
     :itemprop => :url
@@ -55,7 +55,7 @@ class MetadataPlugin::Base &lt; Noosfero::Plugin
           end
         end
       end
-      r.join
+      safe_join(r)
     end
   end
@@ -110,11 +110,11 @@ class NewsletterPlugin::Newsletter &lt; ApplicationRecord
   include DatesHelper
   def message_to_public_link
-    content_tag(:p, _("If you can't view this email, %s.") % link_to(_('click here'), '{mailing_url}'), :id => 'newsletter-public-link')
+    content_tag(:p, (_("If you can't view this email, %s.") % link_to(_('click here'), '{mailing_url}')).html_safe, :id => 'newsletter-public-link').html_safe
   end
   def message_to_unsubscribe
-    content_tag(:div, _("This is an automatically generated email, please do not reply. If you do not wish to receive future newsletter emails, %s.") % link_to(_("cancel your subscription here"), self.unsubscribe_url, :style => CSS['public-link']), :style => CSS['newsletter-unsubscribe'], :id => 'newsletter-unsubscribe')
+    content_tag(:div, _("This is an automatically generated email, please do not reply. If you do not wish to receive future newsletter emails, %s.").html_safe % link_to(_("cancel your subscription here"), self.unsubscribe_url, :style => CSS['public-link']), :style => CSS['newsletter-unsubscribe'], :id => 'newsletter-unsubscribe').html_safe
   end
   def read_more(link_address)
@@ -130,13 +130,13 @@ class NewsletterPlugin::Newsletter &lt; ApplicationRecord
   end
   def body(data = {})
-    content_tag(:div, content_tag(:div, message_to_public_link, :style => CSS['newsletter-public-link'])+content_tag(:table,(self.image.nil? ? '' : content_tag(:tr, content_tag(:th, tag(:img, :src => "#{self.environment.top_url}#{self.image.public_filename}", :style => CSS['header-image']),:colspan => 2),:style => CSS['newsletter-header']))+self.posts(data).map do |post|
+    content_tag(:div, content_tag(:div, message_to_public_link, :style => CSS['newsletter-public-link']).html_safe+content_tag(:table,(self.image.nil? ? '' : content_tag(:tr, content_tag(:th, tag(:img, :src => "#{self.environment.top_url}#{self.image.public_filename}", :style => CSS['header-image']),:colspan => 2),:style => CSS['newsletter-header'])).html_safe+self.posts(data).map do |post|
         if post.image
           post_with_image(post)
         else
           post_without_image(post)
         end
-      end.join()+content_tag(:tr, content_tag(:td, self.footer, :colspan => 2)),:style => CSS['breakingnews'])+content_tag(:div,message_to_unsubscribe, :style => CSS['newsletter-unsubscribe']),:style => CSS['breakingnews-wrap'])
+      end.join().html_safe+content_tag(:tr, content_tag(:td, self.footer, :colspan => 2)),:style => CSS['breakingnews']).html_safe+content_tag(:div,message_to_unsubscribe, :style => CSS['newsletter-unsubscribe']),:style => CSS['breakingnews-wrap']).html_safe
   end
   def default_subject
@@ -15,7 +15,7 @@
             <%= show_date(headline.published_at) %>
           </div>
           <div class='tags'>
-            <%= headline.tags.map { |t| link_to(t, :controller => 'profile', :profile => member.identifier, :action => 'tags', :id => t.name ) }.join("\n") %>
+            <%= safe_join(headline.tags.map { |t| link_to(t, :controller => 'profile', :profile => member.identifier, :action => 'tags', :id => t.name ) }, "\n") %>
           </div>
         </div>
       </div>
@@ -83,7 +83,7 @@ class RelevantContentPlugin::RelevantContentBlock &lt; Block
         end
       end
     end
-    return content
+    return content.html_safe
   end
   def timeout
@@ -17,7 +17,7 @@ class RequireAuthToCommentPlugin &lt; Noosfero::Plugin
   end
   def profile_editor_extras
-    expanded_template('profile-editor-extras.html.erb')
+    expanded_template('profile-editor-extras.html.erb').html_safe
   end
   def stylesheet?
@@ -6,11 +6,11 @@
 <script>
   jQuery( document ).ready(function( $ ) {
     <% actions.each_with_index do |action, index| %>
-      <%= "siteTourPlugin.add('#{j action[:group_name]}', '#{j action[:selector]}', '#{j parse_tour_description(action[:description])}', #{index + 1});" %>
+      <%= raw "siteTourPlugin.add('#{j action[:group_name]}', '#{j action[:selector]}', '#{j parse_tour_description(action[:description])}', #{index + 1});" %>
     <% end %>
     <% (group_triggers||[]).each do |group| %>
-      <%= "siteTourPlugin.addGroupTrigger('#{j group[:group_name]}', '#{j group[:selector]}', '#{j group[:event]}');" %>
+      <%= "siteTourPlugin.addGroupTrigger('#{j group[:group_name]}', '#{j group[:selector]}', '#{j group[:event]}');".html_safe %>
     <% end %>
     siteTourPlugin.setOption('nextLabel', '<%= _('Next') %>');
@@ -46,8 +46,8 @@
   var currentProfile = <%= filter_visible_attr_profile(profile).to_json %>;
   sniffer.search.map.load({
     "zoom": <%= GoogleMaps.initial_zoom.to_json %>,
-    "balloonUrl": <%= url_for(:controller => :sniffer_plugin_myprofile, :action => :map_balloon, :id => "_id_", :escape => false).to_json %>,
-    "myBalloonUrl": <%= url_for(:controller => :sniffer_plugin_myprofile, :action => :my_map_balloon, :escape => false).to_json %>,
+    "balloonUrl": <%= raw url_for(:controller => :sniffer_plugin_myprofile, :action => :map_balloon, :id => "_id_", :escape => false).to_json %>,
+    "myBalloonUrl": <%= raw url_for(:controller => :sniffer_plugin_myprofile, :action => :my_map_balloon, :escape => false).to_json %>,
     "profiles": <%=
       @profiles_data.map do |id, profile_data|
         data = filter_visible_attr_profile(profile_data[:profile])
@@ -55,7 +55,7 @@
         data[:suppliersProducts] = filter_visible_attr_suppliers_products(profile_data[:suppliers_products])
         data[:icon] = profile_data[:profile][:icon]
         data
-      end.to_json
+      end.to_json.html_safe
     %>
   });
 </script>
@@ -3,7 +3,7 @@
     <%= link_to _('Manual'), '/doc', id: "link-to-doc", class: 'icon-help' %>
   </div><!-- end id="footer-links" -->
   <div id="copyright">
-    <p><%= _('This social network uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/') %></p>
+    <p><%= (_('This social network uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/')).html_safe %></p>
   </div><!-- end id="copyright" -->
   <%= language_chooser(environment) %>
 </div>
 <div id="footer-content">
-  <p><%= _('This site uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/') %></p>
+  <p><%= _('This site uses <a href="http://noosfero.org/">Noosfero</a>, developed by %s and licensed under the <a href="http://www.gnu.org/licenses/agpl.html">GNU Affero General Public License</a> version 3 or any later version.') % link_to('Colivre', 'http://colivre.coop.br/').html_safe %></p>
 </div>
@@ -689,7 +689,7 @@ class AccountControllerTest &lt; ActionController::TestCase
   should 'merge user data with extra stuff from plugins' do
     class Plugin1 < Noosfero::Plugin
       def user_data_extras
-        {:foo => 'bar'}
+        {:foo => 'bar'.html_safe }
       end
     end
@@ -787,12 +787,12 @@ class AccountControllerTest &lt; ActionController::TestCase
   should 'add extra content on signup forms from plugins' do
     class Plugin1 < Noosfero::Plugin
       def signup_extra_contents
-        proc {"<strong>Plugin1 text</strong>"}
+        proc {"<strong>Plugin1 text</strong>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def signup_extra_contents
-        proc {"<strong>Plugin2 text</strong>"}
+        proc {"<strong>Plugin2 text</strong>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name])
@@ -909,12 +909,12 @@ class AccountControllerTest &lt; ActionController::TestCase
   should 'add extra content on login form from plugins' do
     class Plugin1 < Noosfero::Plugin
       def login_extra_contents
-        proc {"<strong>Plugin1 text</strong>"}
+        proc {"<strong>Plugin1 text</strong>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def login_extra_contents
-        proc {"<strong>Plugin2 text</strong>"}
+        proc {"<strong>Plugin2 text</strong>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name])
@@ -375,7 +375,7 @@ class ApplicationControllerTest &lt; ActionController::TestCase
   should 'include javascripts supplied by plugins' do
     class Plugin1 < Noosfero::Plugin
       def js_files
-        ['js1.js']
+        ['js1.js'.html_safe]
       end
     end
@@ -384,7 +384,7 @@ class ApplicationControllerTest &lt; ActionController::TestCase
     class Plugin2 < Noosfero::Plugin
       def js_files
-        ['js2.js', 'js3.js']
+        ['js2.js'.html_safe, 'js3.js'.html_safe]
       end
     end
@@ -409,12 +409,12 @@ class ApplicationControllerTest &lt; ActionController::TestCase
   should 'include content in the beginning of body supplied by plugins regardless it is a block or html code' do
     class TestBodyBeginning1Plugin < Noosfero::Plugin
       def body_beginning
-        lambda {"<span id='plugin1'>This is [[plugin1]] speaking!</span>"}
+        lambda {"<span id='plugin1'>This is [[plugin1]] speaking!</span>".html_safe}
       end
     end
     class TestBodyBeginning2Plugin < Noosfero::Plugin
       def body_beginning
-        "<span id='plugin2'>This is Plugin2 speaking!</span>"
+        "<span id='plugin2'>This is Plugin2 speaking!</span>".html_safe
       end
     end
@@ -432,12 +432,12 @@ class ApplicationControllerTest &lt; ActionController::TestCase
     class TestHeadEnding1Plugin < Noosfero::Plugin
       def head_ending
-        lambda {"<script>alert('This is [[plugin1]] speaking!')</script>"}
+        lambda {"<script>alert('This is [[plugin1]] speaking!')</script>".html_safe}
       end
     end
     class TestHeadEnding2Plugin < Noosfero::Plugin
       def head_ending
-        "<style>This is Plugin2 speaking!</style>"
+        "<style>This is Plugin2 speaking!</style>".html_safe
       end
     end
@@ -71,13 +71,13 @@ class CatalogControllerTest &lt; ActionController::TestCase
   should 'include extra content supplied by plugins on catalog item extras' do
     class Plugin1 < Noosfero::Plugin
       def catalog_item_extras(product)
-        proc {"<span id='plugin1'>This is Plugin1 speaking!</span>"}
+        proc {"<span id='plugin1'>This is Plugin1 speaking!</span>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def catalog_item_extras(product)
-        proc {"<span id='plugin2'>This is Plugin2 speaking!</span>"}
+        proc {"<span id='plugin2'>This is Plugin2 speaking!</span>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name])
@@ -191,13 +191,13 @@ class EnterpriseRegistrationControllerTest &lt; ActionController::TestCase
   should 'include hidden fields supplied by plugins on enterprise registration' do
     class Plugin1 < Noosfero::Plugin
       def enterprise_registration_hidden_fields
-        {'plugin1' => 'Plugin 1'}
+        {'plugin1' => 'Plugin 1'.html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def enterprise_registration_hidden_fields
-        {'plugin2' => 'Plugin 2'}
+        {'plugin2' => 'Plugin 2'.html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name])
@@ -13,7 +13,7 @@ class EventsControllerTest &lt; ActionController::TestCase
     get :events, :profile => profile.identifier
-    today = DateTime.now.strftime("%B %d, %Y")
+    today = DateTime.now.strftime("%B %d, %Y").html_safe
     assert_tag :tag => 'div', :attributes => {:id => "agenda-items"},
       :descendant => {:tag => 'h3', :content => "Events for #{today}"},
       :descendant => {:tag => 'tr', :content => "Joao Birthday"},
@@ -43,7 +43,7 @@ class FriendsControllerTest &lt; ActionController::TestCase
   should 'display find people button' do
     get :index, :profile => 'testuser'
-    assert_tag :tag => 'a', :content => 'Find people', :attributes => { :href => '/search/assets?asset=people' }
+    assert_tag :tag => 'a', :content => 'Find people', :attributes => { :href => '/search/assets?asset=people'.html_safe }
   end
   should 'not display invite friends button if any plugin tells not to' do
@@ -88,12 +88,12 @@ class HomeControllerTest &lt; ActionController::TestCase
   should 'provide a link to make the user authentication' do
     class Plugin1 < Noosfero::Plugin
       def alternative_authentication_link
-        proc {"<a href='plugin1'>Plugin1 link</a>"}
+        proc {"<a href='plugin1'>Plugin1 link</a>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def alternative_authentication_link
-        proc {"<a href='plugin2'>Plugin2 link</a>"}
+        proc {"<a href='plugin2'>Plugin2 link</a>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name])
@@ -168,7 +168,7 @@ class HomeControllerTest &lt; ActionController::TestCase
   should 'plugins add class to the <html>' do
     class Plugin1 < Noosfero::Plugin
       def html_tag_classes
-        lambda { ['t1', 't2'] }
+        lambda { ['t1'.html_safe, 't2'.html_safe] }
       end
     end
@@ -429,12 +429,12 @@ class ManageProductsControllerTest &lt; ActionController::TestCase
   should 'include extra content supplied by plugins on products info extras' do
     class TestProductInfoExtras1Plugin < Noosfero::Plugin
       def product_info_extras(p)
-        proc {"<span id='plugin1'>This is Plugin1 speaking!</span>"}
+        proc {"<span id='plugin1'>This is Plugin1 speaking!</span>".html_safe}
       end
     end
     class TestProductInfoExtras2Plugin < Noosfero::Plugin
       def product_info_extras(p)
-        proc { "<span id='plugin2'>This is Plugin2 speaking!</span>" }
+        proc { "<span id='plugin2'>This is Plugin2 speaking!</span>".html_safe }
       end
     end
@@ -125,7 +125,7 @@ class ProfileControllerTest &lt; ActionController::TestCase
     @profile.articles.create!(:name => 'testarticle', :tag_list => 'tag1')
     get :content_tagged, :profile => @profile.identifier, :id => 'tag1'
-    assert_tag :tag => 'a', :attributes => { :href => '/tag/tag1' }, :content => 'See content tagged with "tag1" in the entire site'
+    assert_tag :tag => 'a', :attributes => { :href => '/tag/tag1' }, :content => 'See content tagged with "tag1" in the entire site'.html_safe
   end
   should 'show a link to own control panel' do
@@ -512,7 +512,7 @@ class ProfileControllerTest &lt; ActionController::TestCase
   should 'show description of orgarnization' do
     login_as(@profile.identifier)
     ent = fast_create(Enterprise)
-    ent.description = 'Enterprise\'s description'
+    ent.description = "<span>Enterprise's description</span>"
     ent.save
     get :index, :profile => ent.identifier
     assert_tag :tag => 'div', :attributes => { :class => 'public-profile-description' }, :content => /Enterprise\'s description/
@@ -1236,13 +1236,13 @@ class ProfileControllerTest &lt; ActionController::TestCase
   should 'display plugins tabs' do
     class Plugin1 < Noosfero::Plugin
       def profile_tabs
-        {:title => 'Plugin1 tab', :id => 'plugin1_tab', :content => proc { 'Content from plugin1.' }}
+        {:title => 'Plugin1 tab', :id => 'plugin1_tab', :content => proc { 'Content from plugin1.'.html_safe }}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def profile_tabs
-        {:title => 'Plugin2 tab', :id => 'plugin2_tab', :content => proc { 'Content from plugin2.' }}
+        {:title => 'Plugin2 tab', :id => 'plugin2_tab', :content => proc { 'Content from plugin2.'.html_safe }}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s])
@@ -1002,7 +1002,7 @@ class ProfileEditorControllerTest &lt; ActionController::TestCase
   should 'add extra content provided by plugins on edit' do
     class TestProfileEditPlugin < Noosfero::Plugin
       def profile_editor_extras
-        "<input id='field_added_by_plugin' value='value_of_field_added_by_plugin'/>"
+        "<input id='field_added_by_plugin' value='value_of_field_added_by_plugin'/>".html_safe
       end
     end
     Noosfero::Plugin.stubs(:all).returns([TestProfileEditPlugin.to_s])
@@ -1018,7 +1018,7 @@ class ProfileEditorControllerTest &lt; ActionController::TestCase
     class TestProfileEditPlugin < Noosfero::Plugin
       def profile_editor_extras
         lambda do
-          render :text => "<input id='field_added_by_plugin' value='value_of_field_added_by_plugin'/>"
+          (render :text => "<input id='field_added_by_plugin' value='value_of_field_added_by_plugin'/>".html_safe).html_safe
         end
       end
     end
@@ -1043,12 +1043,12 @@ class ProfileEditorControllerTest &lt; ActionController::TestCase
   should 'add extra content on person info from plugins' do
     class Plugin1 < Noosfero::Plugin
       def profile_info_extra_contents
-        proc {"<strong>Plugin1 text</strong>"}
+        proc {"<strong>Plugin1 text</strong>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def profile_info_extra_contents
-        proc {"<strong>Plugin2 text</strong>"}
+        proc {"<strong>Plugin2 text</strong>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s])
@@ -1065,12 +1065,12 @@ class ProfileEditorControllerTest &lt; ActionController::TestCase
   should 'add extra content on organization info from plugins' do
     class Plugin1 < Noosfero::Plugin
       def profile_info_extra_contents
-        proc {"<strong>Plugin1 text</strong>"}
+        proc {"<strong>Plugin1 text</strong>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def profile_info_extra_contents
-        proc {"<strong>Plugin2 text</strong>"}
+        proc {"<strong>Plugin2 text</strong>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s])
@@ -150,13 +150,13 @@ class SearchControllerTest &lt; ActionController::TestCase
   should 'include extra content supplied by plugins on product asset' do
     class Plugin1 < Noosfero::Plugin
       def asset_product_extras(product)
-        proc {"<span id='plugin1'>This is Plugin1 speaking!</span>"}
+        proc {"<span id='plugin1'>This is Plugin1 speaking!</span>".html_safe}
       end
     end
     class Plugin2 < Noosfero::Plugin
       def asset_product_extras(product)
-        proc {"<span id='plugin2'>This is Plugin2 speaking!</span>"}
+        proc {"<span id='plugin2'>This is Plugin2 speaking!</span>".html_safe}
       end
     end
     Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s])
@@ -22,7 +22,7 @@ class TestController &lt; ApplicationController
   end
   def help_textile_with_string
-    render :inline => '<%= help_textile "*my_bold_help_message*" %>'
+    render :inline => '<%= help_textile "*my_bold_help_message*".html_safe %>'
   end
   def help_textile_with_block
@@ -43,7 +43,8 @@ class BlogHelperTest &lt; ActionView::TestCase
       "<#{tag}#{options.map{|k,v| " #{k}=\"#{[v].flatten.join(' ')}\""}.join}>#{content}</#{tag}>"
     end
-    html = Nokogiri::HTML list_posts(blog.posts)
+    html = Nokogiri::HTML list_posts(blog.posts).html_safe
+
     assert_select html, "div#post-#{newer_post.id}.blog-post.position-1.first.odd-post" +
                         " > div.odd-post-inner.blog-post-inner > .title", 'Last post'
     assert_select html, "div#post-#{hidden_post.id}.blog-post.position-2.not-published.even-post" +
@@ -43,13 +43,13 @@ class PluginManagerTest &lt; ActiveSupport::TestCase
     class Plugin1 < Noosfero::Plugin
       def random_event
-        'Plugin 1 action.'
+        'Plugin 1 action.'.html_safe
       end
     end
     class Plugin2 < Noosfero::Plugin
       def random_event
-        'Plugin 2 action.'
+        'Plugin 2 action.'.html_safe
       end
     end
     Noosfero::Plugin.stubs(:all).returns(['PluginManagerTest::Plugin1', 'PluginManagerTest::Plugin2'])
@@ -70,19 +70,19 @@ class PluginManagerTest &lt; ActiveSupport::TestCase
     class Plugin1 < Noosfero::Plugin
       def random_event
-        'Plugin 1 action.'
+        'Plugin 1 action.'.html_safe
       end
     end
     class Plugin2 < Noosfero::Plugin
       def random_event
-        'Plugin 2 action.'
+        'Plugin 2 action.'.html_safe
       end
     end
     class Plugin3 < Noosfero::Plugin
       def random_event
-        'Plugin 3 action.'
+        'Plugin 3 action.'.html_safe
       end
     end
     Noosfero::Plugin.stubs(:all).returns(['PluginManagerTest::Plugin1', 'PluginManagerTest::Plugin2', 'PluginManagerTest::Plugin3'])
@@ -2,6 +2,8 @@ require_relative &quot;../test_helper&quot;
 class RecentDocumentsBlockTest < ActiveSupport::TestCase
+  include ActionView::Helpers::OutputSafetyHelper
+
   def setup
     @articles = []
     @profile = create_user('testinguser').person
	@@ -108,7 +108,7 @@ class CmsController < MyProfileController		@@ -108,7 +108,7 @@ class CmsController < MyProfileController
108	end	108	end
109		109
110	def new	110	def new
111	- # FIXME this method should share some logic wirh edit !!!	111	+ # FIXME this method should share some logic with edit !!!
112		112
113	@success_back_to = params[:success_back_to]	113	@success_back_to = params[:success_back_to]
114	# user must choose an article type first	114	# user must choose an article type first
	@@ -365,7 +365,7 @@ class CmsController < MyProfileController		@@ -365,7 +365,7 @@ class CmsController < MyProfileController
365	def search	365	def search
366	query = params[:q]	366	query = params[:q]
367	results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]	367	results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
368	- render :text => article_list_to_json(results), :content_type => 'application/json'	368	+ render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
369	end	369	end
370		370
371	def search_article_privacy_exceptions	371	def search_article_privacy_exceptions
	@@ -5,22 +5,22 @@ module ActionTrackerHelper		@@ -5,22 +5,22 @@ module ActionTrackerHelper
5	end	5	end
6		6
7	def new_friendship_description ta	7	def new_friendship_description ta
8	- n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {	8	+ n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
9	num: ta.get_friend_name.size,	9	num: ta.get_friend_name.size,
10	- name: ta.collect_group_with_index(:friend_name) do \|n,i\|	10	+ name: safe_join(ta.collect_group_with_index(:friend_name) do \|n,i\|
11	link_to image_tag(ta.get_friend_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/person-icon.png")),	11	link_to image_tag(ta.get_friend_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/person-icon.png")),
12	ta.get_friend_url[i], title: n	12	ta.get_friend_url[i], title: n
13	- end.join	13	+ end)
14	}	14	}
15	end	15	end
16		16
17	def join_community_description ta	17	def join_community_description ta
18	- n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {	18	+ n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
19	num: ta.get_resource_name.size,	19	num: ta.get_resource_name.size,
20	name: ta.collect_group_with_index(:resource_name) do \|n,i\|	20	name: ta.collect_group_with_index(:resource_name) do \|n,i\|
21	- link_to image_tag(ta.get_resource_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/community-icon.png")),	21	+ link = link_to image_tag(ta.get_resource_profile_custom_icon[i] \|\| default_or_themed_icon("/images/icons-app/community-icon.png")),
22	ta.get_resource_url[i], title: n	22	ta.get_resource_url[i], title: n
23	- end.join	23	+ end.join.html_safe
24	}	24	}
25	end	25	end
26		26
	@@ -3,13 +3,13 @@ module BlockHelper		@@ -3,13 +3,13 @@ module BlockHelper
3	def block_title(title, subtitle=nil)	3	def block_title(title, subtitle=nil)
4	block_header = block_heading title	4	block_header = block_heading title
5	block_header += block_heading(subtitle, 'h4') if subtitle	5	block_header += block_heading(subtitle, 'h4') if subtitle
6	- content_tag 'div', block_header, :class => 'block-header'	6	+ content_tag('div', block_header, :class => 'block-header').html_safe
7	end	7	end
8		8
9	def block_heading(title, heading='h3')	9	def block_heading(title, heading='h3')
10	tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')	10	tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
11	tag_class += ' empty' if title.empty?	11	tag_class += ' empty' if title.empty?
12	- content_tag heading, content_tag('span', h(title)), :class => tag_class	12	+ content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
13	end	13	end
14		14
15	def highlights_block_config_image_fields(block, image={}, row_number=nil)	15	def highlights_block_config_image_fields(block, image={}, row_number=nil)
	@@ -38,7 +38,7 @@ module BoxOrganizerHelper		@@ -38,7 +38,7 @@ module BoxOrganizerHelper
38	content_tag(:ul,	38	content_tag(:ul,
39	images_path.map do \|preview\|	39	images_path.map do \|preview\|
40	content_tag(:li, image_tag(preview, height: '240', alt: ''))	40	content_tag(:li, image_tag(preview, height: '240', alt: ''))
41	- end.join("\n")	41	+ end.join("\n").html_safe
42	)	42	)
43	end	43	end
44		44
	@@ -15,9 +15,9 @@ module ButtonsHelper		@@ -15,9 +15,9 @@ module ButtonsHelper
15	end	15	end
16	the_title = html_options[:title] \|\| label	16	the_title = html_options[:title] \|\| label
17	if html_options[:disabled]	17	if html_options[:disabled]
18	- content_tag('a', ' '+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))	18	+ content_tag('a', ' '.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
19	else	19	else
20	- link_to(' '+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))	20	+ link_to(' '.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
21	end	21	end
22	end	22	end
23		23
	@@ -19,18 +19,18 @@ module CatalogHelper		@@ -19,18 +19,18 @@ module CatalogHelper
19	ancestors = category.ancestors.map { \|c\| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse	19	ancestors = category.ancestors.map { \|c\| link_to(c.name, {:controller => :catalog, :action => 'index', :level => c.id}) }.reverse
20	current_level = content_tag('strong', category.name)	20	current_level = content_tag('strong', category.name)
21	all_items = [start] + ancestors + [current_level]	21	all_items = [start] + ancestors + [current_level]
22	- content_tag('div', all_items.join(' → '), :id => 'breadcrumb')	22	+ content_tag('div', safe_join(all_items, ' → '), :id => 'breadcrumb')
23	end	23	end
24		24
25	def category_link(category)	25	def category_link(category)
26	count = profile.products.from_category(category).count	26	count = profile.products.from_category(category).count
27	name = truncate(category.name, :length => 22 - count.to_s.size)	27	name = truncate(category.name, :length => 22 - count.to_s.size)
28	link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)	28	link = link_to(name, {:controller => 'catalog', :action => 'index', :level => category.id}, :title => category.name)
29	- content_tag('div', "#{link} <span class=\"count\">#{count}</span>") if count > 0	29	+ content_tag('div', "#{link} <span class=\"count\">#{count}</span>".html_safe) if count > 0
30	end	30	end
31		31
32	def category_with_sub_list(category)	32	def category_with_sub_list(category)
33	- content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}"	33	+ content_tag 'li', "#{category_link(category)}\n#{sub_category_list(category)}".html_safe
34	end	34	end
35		35
36	def sub_category_list(category)	36	def sub_category_list(category)
	@@ -39,7 +39,7 @@ module CatalogHelper		@@ -39,7 +39,7 @@ module CatalogHelper
39	cat_link = category_link sub_category	39	cat_link = category_link sub_category
40	sub_categories << content_tag('li', cat_link) unless cat_link.nil?	40	sub_categories << content_tag('li', cat_link) unless cat_link.nil?
41	end	41	end
42	- content_tag('ul', sub_categories.join) if sub_categories.size > 0	42	+ content_tag('ul', sub_categories.join.html_safe) if sub_categories.size > 0
43	end	43	end
44		44
45	end	45	end
	@@ -35,7 +35,7 @@ module ForumHelper		@@ -35,7 +35,7 @@ module ForumHelper
35	:id => "post-#{art.id}"	35	:id => "post-#{art.id}"
36	)	36	)
37	}	37	}
38	- content_tag('table', content.join) + (pagination or '')	38	+ content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
39	end	39	end
40		40
41	def last_topic_update(article)	41	def last_topic_update(article)
	@@ -40,7 +40,7 @@ module LanguageHelper		@@ -40,7 +40,7 @@ module LanguageHelper
40	else	40	else
41	link_to(name, params.merge(:lang => code), :rel => 'nofollow')	41	link_to(name, params.merge(:lang => code), :rel => 'nofollow')
42	end	42	end
43	- end.join(separator)	43	+ end.join(separator).html_safe
44	content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))	44	content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))
45	end	45	end
46	end	46	end
	@@ -131,7 +131,7 @@ module ProfileImageHelper		@@ -131,7 +131,7 @@ module ProfileImageHelper
131	links = links_for_balloon(profile)	131	links = links_for_balloon(profile)
132	content_tag('div', content_tag(tag,	132	content_tag('div', content_tag(tag,
133	(environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?	133	(environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?
134	- popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +	134	+ popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "").html_safe +
135	link_to(	135	link_to(
136	content_tag( 'span', profile_image( profile, size ), :class => img_class ) +	136	content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
137	content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +	137	content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
	@@ -139,7 +139,7 @@ module ProfileImageHelper		@@ -139,7 +139,7 @@ module ProfileImageHelper
139	profile.url,	139	profile.url,
140	:class => 'profile_link url',	140	:class => 'profile_link url',
141	:help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,	141	:help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
142	- :title => profile.name ),	142	+ :title => profile.name ).html_safe,
143	:class => 'vcard'), :class => 'common-profile-list-block')	143	:class => 'vcard'), :class => 'common-profile-list-block')
144	end	144	end
145	end	145	end
	@@ -124,10 +124,10 @@ module SearchHelper		@@ -124,10 +124,10 @@ module SearchHelper
124	def filters(asset)	124	def filters(asset)
125	return if !asset	125	return if !asset
126	klass = asset_class(asset)	126	klass = asset_class(asset)
127	- content_tag('div', klass::SEARCH_FILTERS.map do \|name, options\|	127	+ content_tag('div', safe_join(klass::SEARCH_FILTERS.map do \|name, options\|
128	default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil	128	default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
129	select_filter(name, options, default)	129	select_filter(name, options, default)
130	- end.join("\n"), :id => 'search-filters')	130	+ end, "\n"), :id => 'search-filters')
131	end	131	end
132		132
133	def assets_menu(selected)	133	def assets_menu(selected)
	@@ -137,11 +137,11 @@ module SearchHelper		@@ -137,11 +137,11 @@ module SearchHelper
137	# menu.	137	# menu.
138	assets.delete(:events)	138	assets.delete(:events)
139	content_tag('ul',	139	content_tag('ul',
140	- assets.map do \|asset\|	140	+ safe_join(assets.map do \|asset\|
141	options = {}	141	options = {}
142	options.merge!(:class => 'selected') if selected.to_s == asset.to_s	142	options.merge!(:class => 'selected') if selected.to_s == asset.to_s
143	content_tag('li', asset_link(asset), options)	143	content_tag('li', asset_link(asset), options)
144	- end.join("\n"),	144	+ end, "\n"),
145	:id => 'assets-menu')	145	:id => 'assets-menu')
146	end	146	end
147		147