Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/budgets/stats/_advanced_stats.html.erb
+++ b/app/views/budgets/stats/_advanced_stats.html.erb
@@ -34,7 +34,7 @@
      <thead>
        <tr>
          <th scope="col" rowspan="2"><%= t("stats.budgets.heading") %></th>
-          <th scope="col" rowspan="2"><%= t("stats.budgets.investments_sent_html") %></th>
+          <th scope="col" rowspan="2"><%= sanitize(t("stats.budgets.investments_sent")) %></th>

          <% stats.all_phases.each do |phase| %>
            <th scope="col" colspan="3">