Use sanitize instead of html_safe

The difference is `html_safe` allows every HTML tag, including the `<script>` tag, while `sanitize` only allows tags which are considered safe. In this case, we want to allow a `<span>` tag in a translation, and links inside flash messages.
2019-10-02 17:06:49 +02:00
parent 928312e218
commit 61bf9a5c73
3 changed files with 4 additions and 4 deletions
--- a/app/views/budgets/ballot/_ballot.html.erb
+++ b/app/views/budgets/ballot/_ballot.html.erb
@@ -26,8 +26,8 @@
          <h3>
            <%= group.name %> - <%= @ballot.heading_for_group(group).name %>
          </h3>
-          <%= link_to t("budgets.ballots.show.remaining",
-                      amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group))).html_safe,
+          <%= link_to sanitize(t("budgets.ballots.show.remaining",
+                      amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group)))),
                      budget_group_path(@budget, group) %>
        </div>
        <% if @ballot.has_lines_in_group?(group) %>
--- a/app/views/kaminari/_gap.html.erb
+++ b/app/views/kaminari/_gap.html.erb
@@ -1,3 +1,3 @@
 <li class="ellipsis" aria-hidden="true">
-  <%= t("views.pagination.truncate").html_safe %>
+  <%= sanitize(t("views.pagination.truncate")) %>
 </li>
--- a/app/views/layouts/_flash.html.erb
+++ b/app/views/layouts/_flash.html.erb
@@ -5,7 +5,7 @@
        <span aria-hidden="true">&times;</span>
      </button>
      <div class="notice-text">
-        <%= flash_message.try(:html_safe) %>
+        <%= sanitize(flash_message) %>
      </div>
    </div>
  </div>