Use sanitize instead of html_safe

The difference is `html_safe` allows every HTML tag, including the `<script>` tag, while `sanitize` only allows tags which are considered safe. In this case, we want to allow a `<span>` tag in a translation, and links inside flash messages.
2019-10-02 17:06:49 +02:00
parent 928312e218
commit 61bf9a5c73
3 changed files with 4 additions and 4 deletions
--- a/app/views/budgets/ballot/_ballot.html.erb
+++ b/app/views/budgets/ballot/_ballot.html.erb
@@ -26,8 +26,8 @@
          <h3>
            <%= group.name %> - <%= @ballot.heading_for_group(group).name %>
          </h3>
-          <%= link_to t("budgets.ballots.show.remaining",
-                      amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group))).html_safe,
+          <%= link_to sanitize(t("budgets.ballots.show.remaining",
+                      amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group)))),
                      budget_group_path(@budget, group) %>
        </div>
        <% if @ballot.has_lines_in_group?(group) %>