Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/polls/_callout.html.erb
+++ b/app/views/polls/_callout.html.erb
@@ -7,8 +7,8 @@
    </div>
  <% elsif current_user.unverified? %>
    <div class="callout warning">
-      <%= t("polls.show.cant_answer_verify_html",
-            verify_link: link_to(t("polls.show.verify_link"), verification_path)) %>
+      <%= sanitize(t("polls.show.cant_answer_verify",
+            verify_link: link_to(t("polls.show.verify_link"), verification_path))) %>
    </div>
  <% elsif @poll.expired? %>
    <div class="callout alert">