Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/admin/legislation/draft_versions/_form.html.erb
+++ b/app/views/admin/legislation/draft_versions/_form.html.erb
@@ -36,9 +36,9 @@
      <div class="markdown-editor clear">
        <div class="small-12 medium-8 column fullscreen-container">
          <div class="markdown-editor-header truncate">
-            <%= t("admin.legislation.draft_versions.form.title_html",
+            <%= sanitize(t("admin.legislation.draft_versions.form.title",
                   draft_version_title: @draft_version.title,
-                   process_title: @process.title) %>
+                   process_title: @process.title)) %>
          </div>

          <div class="markdown-editor-buttons">