consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use attributes in translations with sanitize

Browse Source 
There's a slight chance an attribute like an author's name might contain
an attempt to perform XSS attacks. So, instead of marking the whole text
as HTML safe, we can sanitize it.

Also note I'm removing the `_html` suffix in the i18n key, since it's
got the same effect as using `html_safe`.
This commit is contained in:
Javi Martín
2019-10-02 02:18:48 +02:00
parent 75a28fafcb
commit 56f690b8a9
3 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/views/mailer/budget_investment_created.html.erb
View File

@@ -5,14 +5,14 @@
</h1>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= t("mailers.budget_investment_created.intro_html",
author: @investment.author.name).html_safe %>
<%= sanitize(t("mailers.budget_investment_created.intro",
author: @investment.author.name)) %>
</p>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= t("mailers.budget_investment_created.text_html",
<%= sanitize(t("mailers.budget_investment_created.text",
investment: @investment.title,
budget: @investment.budget.name).html_safe %>
budget: @investment.budget.name)) %>
</p>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">

4
config/locales/en/mailers.yml
View File

@@ -46,8 +46,8 @@ en:
budget_investment_created:
subject: "Thank you for creating an investment!"
title: "Thank you for creating an investment!"
intro_html: "Hi <strong>%{author}</strong>,"
text_html: "Thank you for creating your investment <strong>%{investment}</strong> for Participatory Budgets <strong>%{budget}</strong>."
intro: "Hi <strong>%{author}</strong>,"
text: "Thank you for creating your investment <strong>%{investment}</strong> for Participatory Budgets <strong>%{budget}</strong>."
follow_html: "We will inform you about how the process progresses, which you can also follow on <strong>%{link}</strong>."
follow_link: "Participatory Budgets"
sincerely: "Sincerely,"

4
config/locales/es/mailers.yml
View File

@@ -46,8 +46,8 @@ es:
budget_investment_created:
subject: "¡Gracias por crear un proyecto!"
title: "¡Gracias por crear un proyecto!"
intro_html: "Hola <strong>%{author}</strong>,"
text_html: "Muchas gracias por crear tu proyecto <strong>%{investment}</strong> para los Presupuestos Participativos <strong>%{budget}</strong>."
intro: "Hola <strong>%{author}</strong>,"
text: "Muchas gracias por crear tu proyecto <strong>%{investment}</strong> para los Presupuestos Participativos <strong>%{budget}</strong>."
follow_html: "Te informaremos de cómo avanza el proceso, que también puedes seguir en la página de <strong>%{link}</strong>."
follow_link: "Presupuestos participativos"
sincerely: "Atentamente,"