consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize translations instead of using _html

Browse Source 
Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.
This commit is contained in:
Javi Martín
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
config/locales/en/admin.yml
View File

@@ -198,8 +198,8 @@ en:
min_total_supports: Minimum supports
max_total_supports: Maximum supports
winners: Winners
one_filter_html: "Current applied filters: <b><em>%{filter}</em></b>"
two_filters_html: "Current applied filters: <b><em>%{filter}, %{advanced_filters}</em></b>"
one_filter: "Current applied filters: <b><em>%{filter}</em></b>"
two_filters: "Current applied filters: <b><em>%{filter}, %{advanced_filters}</em></b>"
buttons:
filter: Filter
download_current_selection: "Download current selection"
@@ -555,7 +555,7 @@ en:
form:
error: Error
form:
title_html: 'Editing <span class="strong">%{draft_version_title}</span> from the process <span class="strong">%{process_title}</span>'
title: 'Editing <span class="strong">%{draft_version_title}</span> from the process <span class="strong">%{process_title}</span>'
launch_text_editor: Launch text editor
close_text_editor: Close text editor
use_markdown: Use Markdown to format the text
@@ -767,7 +767,7 @@ en:
empty_newsletters: There are no newsletters to show
new:
title: New newsletter
header_footer_help_text_html: "The heading and footer are the same for all emails, you can modify them on <code>app/views/layouts/mailer_header</code> and <code>app/views/layouts/mailer_footer</code>.<br>You can replace header image on %{link}."
header_footer_help_text: "The heading and footer are the same for all emails, you can modify them on <code>app/views/layouts/mailer_header</code> and <code>app/views/layouts/mailer_footer</code>.<br>You can replace header image on %{link}."
image_link: "custom images"
edit:
title: Edit newsletter
@@ -1187,7 +1187,7 @@ en:
pending: Pending
rejected: Rejected
verified: Verified
hidden_count_html:
hidden_count:
one: There is also <strong>one organisation</strong> with no users or with a hidden user.
other: There are <strong>%{count} organisations</strong> with no users or with a hidden user.
name: Name
@@ -1542,7 +1542,7 @@ en:
see_page: See page
new:
title: Create new custom page
slug_help_html: "Text to identify this page on URL, for example <code>https://consulproject.org/page-slug</code>"
slug_help: "Text to identify this page on URL, for example <code>https://consulproject.org/page-slug</code>"
page:
created_at: Created at
status: Status

22
config/locales/en/budgets.yml
View File

@@ -7,7 +7,7 @@ en:
remaining: "You still have <span>%{amount}</span> to invest."
no_balloted_group_yet: "You have not voted on this group yet, go vote!"
remove: Remove vote
voted_html:
voted:
one: "You have voted <span>one</span> investment."
other: "You have voted <span>%{count}</span> investments."
voted_info: "Your ballot is confirmed!"
@@ -79,17 +79,17 @@ en:
button: Search
placeholder: Search investment projects...
title: Search
search_results_html:
search_results:
one: " containing the term <strong>'%{search_term}'</strong>"
other: " containing the term <strong>'%{search_term}'</strong>"
sidebar:
my_ballot: My ballot
voted_html:
voted:
one: "<strong>You voted one proposal with a cost of %{amount_spent}</strong>"
other: "<strong>You voted %{count} proposals with a cost of %{amount_spent}</strong>"
voted_info: You can %{link} at any time until the close of this phase. No need to spend all the money available.
voted_info_link: change your vote
different_heading_assigned_html: "You have active votes in another heading: %{heading_link}"
different_heading_assigned: "You have active votes in another heading: %{heading_link}"
change_ballot: "If your change your mind you can remove your votes in %{check_ballot} and start again."
check_ballot_link: "check and confirm my ballot"
zero: You have not voted any investment project in this group.
@@ -109,9 +109,9 @@ en:
author_deleted: User deleted
price_explanation: Price explanation
unfeasibility_explanation: Unfeasibility explanation
code_html: "Investment project code: <strong>%{code}</strong>"
location_html: "Location: <strong>%{location}</strong>"
organization_name_html: "Proposed on behalf of: <strong>%{name}</strong>"
code: "Investment project code: <strong>%{code}</strong>"
location: "Location: <strong>%{location}</strong>"
organization_name: "Proposed on behalf of: <strong>%{name}</strong>"
share: Share
title: Investment project
supports: Supports
@@ -120,10 +120,10 @@ en:
comments_tab: Comments
milestones_tab: Milestones
author: Author
project_unfeasible_html: "This investment project <strong>has been marked as not feasible</strong> and will not go to balloting phase."
project_selected_html: "This investment project <strong>has been selected</strong> for balloting phase."
project_unfeasible: "This investment project <strong>has been marked as not feasible</strong> and will not go to balloting phase."
project_selected: "This investment project <strong>has been selected</strong> for balloting phase."
project_winner: "Winning investment project"
project_not_selected_html: "This investment project <strong>has not been selected</strong> for balloting phase."
project_not_selected: "This investment project <strong>has not been selected</strong> for balloting phase."
see_price_explanation: See price explanation
wrong_price_format: Only integer numbers
investment:
@@ -141,7 +141,7 @@ en:
give_support: Support
header:
check_ballot: Check and confirm my ballot
different_heading_assigned_html: "You have active votes in another heading: %{heading_link}"
different_heading_assigned: "You have active votes in another heading: %{heading_link}"
change_ballot: "If your change your mind you can remove your votes in %{check_ballot} and start again."
check_ballot_link: "check and confirm my ballot"
price: "This heading has a budget of"

12
config/locales/en/devise_views.yml
View File

@@ -6,7 +6,7 @@ en:
submit: Re-send instructions
title: Re-send confirmation instructions
show:
instructions_html: Confirming the account with email %{email}
instructions: Confirming the account with email %{email}
new_password_confirmation_label: Repeat access password
new_password_label: New access password
please_set_password: Please choose your new pasword (it will allow you to login with the email above)
@@ -50,10 +50,10 @@ en:
title: Register as an organisation or collective
success:
back_to_index: I understand; go back to main page
instructions_1_html: "<strong>We will contact you soon</strong> to verify that you do in fact represent this collective."
instructions_2_html: While your <strong>email is reviewed</strong>, we have sent you a <strong>link to confirm your account</strong>.
instructions_1: "<strong>We will contact you soon</strong> to verify that you do in fact represent this collective."
instructions_2: While your <strong>email is reviewed</strong>, we have sent you a <strong>link to confirm your account</strong>.
instructions_3: Once confirmed, you may begin to participate as an unverified collective.
thank_you_html: Thank you for registering your collective on the website. It is now <strong>pending verification</strong>.
thank_you: Thank you for registering your collective on the website. It is now <strong>pending verification</strong>.
title: Registration of organisation / collective
passwords:
edit:
@@ -123,7 +123,7 @@ en:
username_note: Name that appears next to your posts
success:
back_to_index: I understand; go back to main page
instructions_1_html: Please <b>check your email</b> - we have sent you a <b>link to confirm your account</b>.
instructions_1: Please <b>check your email</b> - we have sent you a <b>link to confirm your account</b>.
instructions_2: Once confirmed, you may begin participation.
thank_you_html: Thank you for registering for the website. You must now <b>confirm your email address</b>.
thank_you: Thank you for registering for the website. You must now <b>confirm your email address</b>.
title: Confirm your email address

2
config/locales/en/documents.yml
View File

@@ -1,7 +1,7 @@
en:
documents:
title: Documents
max_documents_allowed_reached_html: You have reached the maximum number of documents allowed! <strong>You have to delete one before you can upload another.</strong>
max_documents_allowed_reached: You have reached the maximum number of documents allowed! <strong>You have to delete one before you can upload another.</strong>
additional: Additional documentation
form:
title: Documents

18
config/locales/en/general.yml
View File

@@ -116,7 +116,7 @@ en:
button: Search
placeholder: Search debates...
title: Search
search_results_html:
search_results:
one: " containing the term <strong>'%{search_term}'</strong>"
other: " containing the term <strong>'%{search_term}'</strong>"
select_order: Order by
@@ -169,7 +169,7 @@ en:
direct_message: private message
error: error
errors: errors
not_saved_html: "prevented this %{resource} from being saved. <br>Please check the marked fields to know how to correct them:"
not_saved: "prevented this %{resource} from being saved. <br>Please check the marked fields to know how to correct them:"
policy: Privacy Policy
proposal: Proposal
proposal_notification: "Notification"
@@ -302,7 +302,7 @@ en:
created:
title: Congratulations! You have taken the first step.
motivation: "It is important to prepare the launch campaign for your proposal to be successful. The first few days are decisive."
motivation_2_html: "<strong>If you want recommendations to prepare the publishing leave your proposal as a draft and we will guide you.</strong>"
motivation_2: "<strong>If you want recommendations to prepare the publishing leave your proposal as a draft and we will guide you.</strong>"
publish: No, I want to publish the proposal
dashboard: Yes, I want help and I'll publish later
preview_title: This is how your proposal will look when you publish it
@@ -376,7 +376,7 @@ en:
button: Search
placeholder: Search proposals...
title: Search
search_results_html:
search_results:
one: " containing the term <strong>'%{search_term}'</strong>"
other: " containing the term <strong>'%{search_term}'</strong>"
select_order: Order by
@@ -570,12 +570,12 @@ en:
title: Poster preview
poster_title: "Do not keep looking,"
poster_subtitle: "back me up! ;)"
intro_text_html:
intro_text:
"<strong>I am participating in %{org}</strong> with my own citizen proposal and only if you also add you can I achieve the
necessary support to make the city we all want."
proposal_code: "Code of the proposal: %{code}"
support: Support my proposal
footer_html: "<strong>Visit %{link} and support this proposal.</strong> We need to be many. Decide your too. Thank you!"
footer: "<strong>Visit %{link} and support this proposal.</strong> We need to be many. Decide your too. Thank you!"
new:
title: Poster of your proposal
options:
@@ -593,7 +593,7 @@ en:
sent: The email has been sent
mailer:
forward:
subtitle_html: "If you support me, <br>we will achieve it."
subtitle: "If you support me, <br>we will achieve it."
support_button: Support this proposal
share_in: Share in
hi: "Hello!"
@@ -644,7 +644,7 @@ en:
back: Back to voting
cant_answer_not_logged_in: "You must %{signin} or %{signup} to participate."
comments_tab: Comments
cant_answer_verify_html: "You must %{verify_link} in order to answer."
cant_answer_verify: "You must %{verify_link} in order to answer."
verify_link: "verify your account"
cant_answer_expired: "This poll has finished."
cant_answer_wrong_geozone: "This question is not available on your geozone."
@@ -805,7 +805,7 @@ en:
select_language_prompt: Choose language
remove_language: Remove language
add_language: Add language
languages_in_use_html:
languages_in_use:
zero: "<span class='js-languages-count'>0</span> languages in use"
one: "<span class='js-languages-count'>1</span> language in use"
other: "<span class='js-languages-count'>%{count}</span> languages in use"

14
config/locales/en/mailers.yml
View File

@@ -4,21 +4,21 @@ en:
no_reply: "This message was sent from an email address that does not accept replies."
comment:
hi: Hi
new_comment_by_html: There is a new comment from <strong>%{commenter}</strong>
new_comment_by: There is a new comment from <strong>%{commenter}</strong>
subject: Someone has commented on your %{commentable}
title: New comment
config:
manage_email_subscriptions: To stop receiving these emails change your settings in
email_verification:
click_here_to_verify: this link
instructions_2_html: This email will verify your account with <b>%{document_type} %{document_number}</b>. If these don't belong to you, please don't click on the previous link and ignore this email.
instructions_html: To complete the verification of your user account you must click %{verification_link}.
instructions_2: This email will verify your account with <b>%{document_type} %{document_number}</b>. If these don't belong to you, please don't click on the previous link and ignore this email.
instructions: To complete the verification of your user account you must click %{verification_link}.
subject: Confirm your email
thanks: Thank you very much.
title: Confirm your account using the following link
reply:
hi: Hi
new_reply_by_html: There is a new response from <strong>%{commenter}</strong> to your comment on
new_reply_by: There is a new response from <strong>%{commenter}</strong> to your comment on
subject: Someone has responded to your comment
title: New response to your comment
proposal_notification_digest:
@@ -35,7 +35,7 @@ en:
unsubscribe_account: My account
direct_message_for_sender:
subject: "You have sent a new private message"
title_html: "You have sent a new private message to <strong>%{receiver}</strong> with the content:"
title: "You have sent a new private message to <strong>%{receiver}</strong> with the content:"
user_invite:
ignore: "If you have not requested this invitation don't worry, you can ignore this email."
text: "Thank you for applying to join %{org}! In seconds you can start to participate, just fill the form below:"
@@ -54,7 +54,7 @@ en:
share: "Share your project"
budget_investment_unfeasible:
hi: "Dear user,"
new_html: "For all these, we invite you to elaborate a <strong>new investment</strong> that adjusts to the conditions of this process. You can do it following this link: %{url}."
new: "For all these, we invite you to elaborate a <strong>new investment</strong> that adjusts to the conditions of this process. You can do it following this link: %{url}."
new_href: "new investment project"
sincerely: "Sincerely"
sorry: "Sorry for the inconvenience and we again thank you for your invaluable participation."
@@ -75,7 +75,7 @@ en:
subject: "New evaluation comment"
title: New evaluation comment for %{investment}
hi: Hi
new_comment_by_html: There is a new evaluation comment from <strong>%{commenter}</strong> to the budget investment %{investment}
new_comment_by: There is a new evaluation comment from <strong>%{commenter}</strong> to the budget investment %{investment}
commenter_info: "%{commenter}, %{time}:"
new_actions_notification_rake_created:
subject: "More news about your citizen proposal"

6
config/locales/en/management.yml
View File

@@ -112,8 +112,8 @@ en:
create_user: Create a new account
create_user_info: We will create an account with the following data
create_user_submit: Create user
create_user_success_html: We have sent an email to the email address <b>%{email}</b> in order to verify that it belongs to this user. It contains a link they have to click. Then they will have to set their access password before being able to log in to the website
autogenerated_password_html: "Autogenerated password is <b>%{password}</b>, you can change it in the 'My account' section of the web"
create_user_success: We have sent an email to the email address <b>%{email}</b> in order to verify that it belongs to this user. It contains a link they have to click. Then they will have to set their access password before being able to log in to the website
autogenerated_password: "Autogenerated password is <b>%{password}</b>, you can change it in the 'My account' section of the web"
email_optional_label: Email (optional)
erased_notice: User account deleted.
erased_by_manager: "Deleted by manager: %{manager}"
@@ -128,5 +128,5 @@ en:
submit: Send invitations
title: Send invitations
create:
success_html: <strong>%{count} invitations</strong> have been sent.
success: <strong>%{count} invitations</strong> have been sent.
title: Send invitations

2
config/locales/en/stats.yml
View File

@@ -27,7 +27,7 @@ en:
by_heading: "Participants by phase and heading"
total: "Total"
heading: "Heading"
investments_sent_html: "Investment proposals sent"
investments_sent: "Investment proposals sent"
participants_support_phase: "Participants support phase"
participants_vote_phase: "Participants voting phase"
participants_every_phase: "Total participants"

2
config/locales/en/valuation.yml
View File

@@ -56,7 +56,7 @@ en:
preview: Investment preview
edit:
dossier: Dossier
price_html: "Price (%{currency})"
price: "Price (%{currency})"
price_first_year: "Cost during the first year (%{currency}) <small>(optional, data not public)</small>"
feasibility: Feasibility
valuation_finished_alert: "Are you sure you want to mark this report as completed? If you do it, it can no longer be modified."

6
config/locales/en/verification.yml
View File

@@ -19,7 +19,7 @@ en:
unconfirmed_code: You have not yet entered the confirmation code
create:
flash:
success_html: Thank you for requesting your <b>maximum security code (only required for the final votes)</b>. In a few days we will send it to the address featuring in the data we have on file. Please remember that, if you prefer, you can collect your code from any of the Citizen Support Offices.
success: Thank you for requesting your <b>maximum security code (only required for the final votes)</b>. In a few days we will send it to the address featuring in the data we have on file. Please remember that, if you prefer, you can collect your code from any of the Citizen Support Offices.
edit:
see_all: See proposals
title: Letter requested
@@ -49,7 +49,7 @@ en:
accept_terms_text_title: I accept the terms and conditions of access of the Census
document_number: Document number
document_number_help_title: Help
document_number_help_text_html: "<strong>DNI</strong>: 12345678A<br> <strong>Passport</strong>: AAA000001<br> <strong>Residence card</strong>: X1234567P"
document_number_help_text: "<strong>DNI</strong>: 12345678A<br> <strong>Passport</strong>: AAA000001<br> <strong>Residence card</strong>: X1234567P"
document_type:
passport: Passport
residence_card: Residence card
@@ -73,7 +73,7 @@ en:
title: Security code confirmation
new:
phone: Enter your mobile phone number to receive the code
phone_format_html: "<strong><em>(Example: 612345678 or +34612345678)</em></strong>"
phone_format: "<strong><em>(Example: 612345678 or +34612345678)</em></strong>"
phone_note: We only use your phone to send you a code, never to contact you.
phone_placeholder: "Example: 612345678 or +34612345678"
submit_button: Send