From 56f690b8a92c17f4aaab161e4e4e29efcf000339 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 2 Oct 2019 02:18:48 +0200
Subject: [PATCH] Use attributes in translations with `sanitize`

There's a slight chance an attribute like an author's name might contain
an attempt to perform XSS attacks. So, instead of marking the whole text
as HTML safe, we can sanitize it.

Also note I'm removing the `_html` suffix in the i18n key, since it's
got the same effect as using `html_safe`.
---
 app/views/mailer/budget_investment_created.html.erb | 8 ++++----
 config/locales/en/mailers.yml                       | 4 ++--
 config/locales/es/mailers.yml                       | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/views/mailer/budget_investment_created.html.erb b/app/views/mailer/budget_investment_created.html.erb
index 8942a1606..f4ac21b61 100644
--- a/app/views/mailer/budget_investment_created.html.erb
+++ b/app/views/mailer/budget_investment_created.html.erb
@@ -5,14 +5,14 @@
   </h1>
 
   <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.budget_investment_created.intro_html",
-           author: @investment.author.name).html_safe %>
+    <%= sanitize(t("mailers.budget_investment_created.intro",
+           author: @investment.author.name)) %>
   </p>
 
   <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.budget_investment_created.text_html",
+    <%= sanitize(t("mailers.budget_investment_created.text",
            investment: @investment.title,
-           budget: @investment.budget.name).html_safe %>
+           budget: @investment.budget.name)) %>
   </p>
 
   <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
diff --git a/config/locales/en/mailers.yml b/config/locales/en/mailers.yml
index 6434b8951..cf2341095 100644
--- a/config/locales/en/mailers.yml
+++ b/config/locales/en/mailers.yml
@@ -46,8 +46,8 @@ en:
     budget_investment_created:
       subject: "Thank you for creating an investment!"
       title: "Thank you for creating an investment!"
-      intro_html: "Hi <strong>%{author}</strong>,"
-      text_html: "Thank you for creating your investment <strong>%{investment}</strong> for Participatory Budgets <strong>%{budget}</strong>."
+      intro: "Hi <strong>%{author}</strong>,"
+      text: "Thank you for creating your investment <strong>%{investment}</strong> for Participatory Budgets <strong>%{budget}</strong>."
       follow_html: "We will inform you about how the process progresses, which you can also follow on <strong>%{link}</strong>."
       follow_link: "Participatory Budgets"
       sincerely: "Sincerely,"
diff --git a/config/locales/es/mailers.yml b/config/locales/es/mailers.yml
index fa37c399a..5c0691c4a 100644
--- a/config/locales/es/mailers.yml
+++ b/config/locales/es/mailers.yml
@@ -46,8 +46,8 @@ es:
     budget_investment_created:
       subject: "¡Gracias por crear un proyecto!"
       title: "¡Gracias por crear un proyecto!"
-      intro_html: "Hola <strong>%{author}</strong>,"
-      text_html: "Muchas gracias por crear tu proyecto <strong>%{investment}</strong> para los Presupuestos Participativos <strong>%{budget}</strong>."
+      intro: "Hola <strong>%{author}</strong>,"
+      text: "Muchas gracias por crear tu proyecto <strong>%{investment}</strong> para los Presupuestos Participativos <strong>%{budget}</strong>."
       follow_html: "Te informaremos de cómo avanza el proceso, que también puedes seguir en la página de <strong>%{link}</strong>."
       follow_link: "Presupuestos participativos"
       sincerely: "Atentamente,"