consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize translations instead of using _html

Browse Source 
Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.
This commit is contained in:
Javi Martín
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/views/shared/_common_globalize_locales.html.erb
View File

@@ -1,7 +1,7 @@
<div class="row globalize-languages column padding-top <%= highlight_translation_html_class %>"
data-zero-languages-description="<%= t("shared.translations.languages_in_use_html", count: 0) %>"
data-one-languages-description="<%= t("shared.translations.languages_in_use_html", count: 1) %>"
data-other-languages-description="<%= t("shared.translations.languages_in_use_html", count: 2) %>">
data-zero-languages-description="<%= sanitize(t("shared.translations.languages_in_use", count: 0)) %>"
data-one-languages-description="<%= sanitize(t("shared.translations.languages_in_use", count: 1)) %>"
data-other-languages-description="<%= sanitize(t("shared.translations.languages_in_use", count: 2)) %>">
<div class="small-6 large-3 column">
<span class="small">
<strong class="js-languages-description"><%= selected_languages_description(resource) %></strong>