Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/budgets/ballot/_ballot.html.erb
+++ b/app/views/budgets/ballot/_ballot.html.erb
@@ -6,8 +6,7 @@

    <div class="small-12 medium-8 column small-centered text-center">
      <h2>
-        <%= t("budgets.ballots.show.voted_html",
-            count: @ballot.investments.count) %>
+        <%= sanitize(t("budgets.ballots.show.voted", count: @ballot.investments.count)) %>
      </h2>
      <p class="confirmed">
        <%= t("budgets.ballots.show.voted_info") %>
--- a/app/views/budgets/investments/_header.html.erb
+++ b/app/views/budgets/investments/_header.html.erb
@@ -36,8 +36,8 @@
              </h2>
              <div class="small-12 medium-9">
                <div class="callout warning margin-top">
-                  <%= t("budgets.investments.header.different_heading_assigned_html",
-                        heading_link: heading_link(@assigned_heading, @budget)) %>
+                  <%= sanitize(t("budgets.investments.header.different_heading_assigned",
+                        heading_link: heading_link(@assigned_heading, @budget))) %>
                  <br>
                  <small>
                    <%= sanitize(t("budgets.investments.header.change_ballot",
--- a/app/views/budgets/investments/_investment_detail.erb
+++ b/app/views/budgets/investments/_investment_detail.erb
@@ -19,7 +19,7 @@
 <%= render_image(investment.image, :large, true) if investment.image.present? %>

 <p id="investment_code">
-  <%= t("budgets.investments.show.code_html", code: investment.id) %>
+  <%= sanitize(t("budgets.investments.show.code", code: investment.id)) %>
 </p>

 <%= auto_link_already_sanitized_html investment.description %>
@@ -32,13 +32,13 @@

 <% if investment.location.present? %>
  <p>
-    <%= t("budgets.investments.show.location_html", location: investment.location) %>
+    <%= sanitize(t("budgets.investments.show.location", location: investment.location)) %>
  </p>
 <% end %>

 <% if investment.organization_name.present? %>
  <p>
-    <%= t("budgets.investments.show.organization_name_html", name: investment.organization_name) %>
+    <%= sanitize(t("budgets.investments.show.organization_name", name: investment.organization_name)) %>
  </p>
 <% end %>

--- a/app/views/budgets/investments/_investment_show.html.erb
+++ b/app/views/budgets/investments/_investment_show.html.erb
@@ -75,7 +75,7 @@

        <% if investment.unfeasible? && investment.valuation_finished? %>
          <div class="callout warning">
-            <%= t("budgets.investments.show.project_unfeasible_html") %>
+            <%= sanitize(t("budgets.investments.show.project_unfeasible")) %>
          </div>
        <% elsif investment.winner? && @budget.finished? %>
          <div class="callout success">
@@ -83,11 +83,11 @@
          </div>
        <% elsif investment.selected? %>
          <div class="callout success">
-            <%= t("budgets.investments.show.project_selected_html") %>
+            <%= sanitize(t("budgets.investments.show.project_selected")) %>
          </div>
        <% elsif @budget.balloting_or_later? %>
          <div class="callout warning">
-            <%= t("budgets.investments.show.project_not_selected_html") %>
+            <%= sanitize(t("budgets.investments.show.project_not_selected")) %>
          </div>
        <% else %>
          <br>
--- a/app/views/budgets/investments/_sidebar.html.erb
+++ b/app/views/budgets/investments/_sidebar.html.erb
@@ -40,16 +40,16 @@
  <% if @ballot.investments.by_heading(@heading.id).count > 0 %>
    <p>
      <em>
-        <%= t("budgets.investments.index.sidebar.voted_html",
+        <%= sanitize(t("budgets.investments.index.sidebar.voted",
            count: @ballot.investments.by_heading(@heading.id).count,
-            amount_spent: @ballot.formatted_amount_spent(@heading)) %>
+            amount_spent: @ballot.formatted_amount_spent(@heading))) %>
      </em>
    </p>
  <% elsif @assigned_heading.present? %>
    <p>
-      <%= t("budgets.investments.index.sidebar.different_heading_assigned_html",
+      <%= sanitize(t("budgets.investments.index.sidebar.different_heading_assigned",
              heading_link: heading_link(@assigned_heading, @budget)
-            ) %>
+            )) %>
      <br>
      <small>
        <%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
--- a/app/views/budgets/investments/index.html.erb
+++ b/app/views/budgets/investments/index.html.erb
@@ -28,9 +28,9 @@
          <h2><%= t("shared.search_results") %></h2>
          <p>
            <%= page_entries_info @investments %>
-            <%= t("budgets.investments.index.search_results_html",
+            <%= sanitize(t("budgets.investments.index.search_results",
                   count: @investments.size,
-                   search_term: params[:search]) %>
+                   search_term: params[:search])) %>
          </p>
        </div>
      </div>
--- a/app/views/budgets/stats/_advanced_stats.html.erb
+++ b/app/views/budgets/stats/_advanced_stats.html.erb
@@ -34,7 +34,7 @@
      <thead>
        <tr>
          <th scope="col" rowspan="2"><%= t("stats.budgets.heading") %></th>
-          <th scope="col" rowspan="2"><%= t("stats.budgets.investments_sent_html") %></th>
+          <th scope="col" rowspan="2"><%= sanitize(t("stats.budgets.investments_sent")) %></th>

          <% stats.all_phases.each do |phase| %>
            <th scope="col" colspan="3">