Use attributes in translations with sanitize
There's a slight chance an attribute like an author's name might contain an attempt to perform XSS attacks. So, instead of marking the whole text as HTML safe, we can sanitize it. Also note I'm removing the `_html` suffix in the i18n key, since it's got the same effect as using `html_safe`.
This commit is contained in:
Javi Martín
@@ -5,14 +5,14 @@
|
|||||||
</h1>
|
</h1>
|
||||||
|
|
||||||
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
|
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
|
||||||
<%= t("mailers.budget_investment_created.intro_html",
|
<%= sanitize(t("mailers.budget_investment_created.intro",
|
||||||
author: @investment.author.name).html_safe %>
|
author: @investment.author.name)) %>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
|
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
|
||||||
<%= t("mailers.budget_investment_created.text_html",
|
<%= sanitize(t("mailers.budget_investment_created.text",
|
||||||
investment: @investment.title,
|
investment: @investment.title,
|
||||||
budget: @investment.budget.name).html_safe %>
|
budget: @investment.budget.name)) %>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
|
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
|
||||||
|
|||||||
@@ -46,8 +46,8 @@ en:
|
|||||||
budget_investment_created:
|
budget_investment_created:
|
||||||
subject: "Thank you for creating an investment!"
|
subject: "Thank you for creating an investment!"
|
||||||
title: "Thank you for creating an investment!"
|
title: "Thank you for creating an investment!"
|
||||||
intro_html: "Hi <strong>%{author}</strong>,"
|
intro: "Hi <strong>%{author}</strong>,"
|
||||||
text_html: "Thank you for creating your investment <strong>%{investment}</strong> for Participatory Budgets <strong>%{budget}</strong>."
|
text: "Thank you for creating your investment <strong>%{investment}</strong> for Participatory Budgets <strong>%{budget}</strong>."
|
||||||
follow_html: "We will inform you about how the process progresses, which you can also follow on <strong>%{link}</strong>."
|
follow_html: "We will inform you about how the process progresses, which you can also follow on <strong>%{link}</strong>."
|
||||||
follow_link: "Participatory Budgets"
|
follow_link: "Participatory Budgets"
|
||||||
sincerely: "Sincerely,"
|
sincerely: "Sincerely,"
|
||||||
|
|||||||
@@ -46,8 +46,8 @@ es:
|
|||||||
budget_investment_created:
|
budget_investment_created:
|
||||||
subject: "¡Gracias por crear un proyecto!"
|
subject: "¡Gracias por crear un proyecto!"
|
||||||
title: "¡Gracias por crear un proyecto!"
|
title: "¡Gracias por crear un proyecto!"
|
||||||
intro_html: "Hola <strong>%{author}</strong>,"
|
intro: "Hola <strong>%{author}</strong>,"
|
||||||
text_html: "Muchas gracias por crear tu proyecto <strong>%{investment}</strong> para los Presupuestos Participativos <strong>%{budget}</strong>."
|
text: "Muchas gracias por crear tu proyecto <strong>%{investment}</strong> para los Presupuestos Participativos <strong>%{budget}</strong>."
|
||||||
follow_html: "Te informaremos de cómo avanza el proceso, que también puedes seguir en la página de <strong>%{link}</strong>."
|
follow_html: "Te informaremos de cómo avanza el proceso, que también puedes seguir en la página de <strong>%{link}</strong>."
|
||||||
follow_link: "Presupuestos participativos"
|
follow_link: "Presupuestos participativos"
|
||||||
sincerely: "Atentamente,"
|
sincerely: "Atentamente,"
|
||||||
|
|||||||
Reference in New Issue
Block a user