Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/mailer/direct_message_for_sender.html.erb
+++ b/app/views/mailer/direct_message_for_sender.html.erb
@@ -1,8 +1,8 @@
 <td style="padding-bottom: 20px; padding-left: 10px;">

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif; font-size: 20px;">
-    <%= t("mailers.direct_message_for_sender.title_html",
-        receiver: @direct_message.receiver.name) %>
+    <%= sanitize(t("mailers.direct_message_for_sender.title",
+        receiver: @direct_message.receiver.name)) %>
  </p>

  <h2 style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif; font-size: 18px;">