consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize translations instead of using _html

Browse Source 
Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.
This commit is contained in:
Javi Martín
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/views/admin/budget_investments/_filters_description.html.erb
View File

@@ -1,16 +1,16 @@
<% if params[:filter].present? && params[:advanced_filters].present? %>
<p class="inline-block"><%= t("#{i18n_namespace}.filters.two_filters_html",
<p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.two_filters",
filter: t("#{i18n_namespace}.filters.#{params[:filter]}"),
advanced_filters: budget_investments_advanced_filters(params[:advanced_filters])) %></p>
advanced_filters: budget_investments_advanced_filters(params[:advanced_filters]))) %></p>
<% elsif params[:filter].present? %>
<p class="inline-block"><%= t("#{i18n_namespace}.filters.one_filter_html",
filter: t("#{i18n_namespace}.filters.#{params[:filter]}")) %></p>
<p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.one_filter",
filter: t("#{i18n_namespace}.filters.#{params[:filter]}"))) %></p>
<% elsif params[:advanced_filters].present? %>
<p class="inline-block"><%= t("#{i18n_namespace}.filters.one_filter_html",
filter: budget_investments_advanced_filters(params[:advanced_filters])) %></p>
<p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.one_filter",
filter: budget_investments_advanced_filters(params[:advanced_filters]))) %></p>
<% end %>