consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use sanitize in translations with links

Browse Source 
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.

However, some translations added by admins to the database or through
crowdin are not entirely under our control.

Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
This commit is contained in:
Javi Martín
2019-10-01 21:57:06 +02:00
parent 56f690b8a9
commit 928312e218
41 changed files with 95 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/views/budgets/index.html.erb
View File

@@ -37,14 +37,14 @@
class: "button margin-top expanded" %>
<% else %>
<div class="callout warning margin-top">
<%= t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% else %>
<div class="callout primary margin-top">
<%= t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</div>
<% end %>
<% end %>

4
app/views/budgets/investments/_ballot.html.erb
View File

@@ -51,11 +51,11 @@
<p>
<small>
<%= t("budgets.ballots.reasons_for_not_balloting.#{reason}",
<%= sanitize(t("budgets.ballots.reasons_for_not_balloting.#{reason}",
verify_account: link_to_verify_account, signin: link_to_signin,
signup: link_to_signup, my_heading: my_heading,
change_ballot: change_ballot,
heading_link: heading_link(@assigned_heading, @budget)).html_safe %>
heading_link: heading_link(@assigned_heading, @budget))) %>
</small>
</p>
</div>

4
app/views/budgets/investments/_header.html.erb
View File

@@ -40,9 +40,9 @@
heading_link: heading_link(@assigned_heading, @budget)) %>
<br>
<small>
<%= t("budgets.investments.header.change_ballot",
<%= sanitize(t("budgets.investments.header.change_ballot",
check_ballot: link_to(t("budgets.investments.header.check_ballot_link"),
budget_ballot_path(@budget))).html_safe %>
budget_ballot_path(@budget)))) %>
</small>
</div>
</div>

12
app/views/budgets/investments/_sidebar.html.erb
View File

@@ -6,17 +6,17 @@
new_budget_investment_path(budget_id: @budget.id), class: "button budget expanded" %>
<% else %>
<div class="callout warning">
<%= t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% end %>
<% if @heading && can?(:show, @ballot) %>
<p class="callout">
<%= t("budgets.investments.index.sidebar.voted_info",
<%= sanitize(t("budgets.investments.index.sidebar.voted_info",
link: link_to(t("budgets.investments.index.sidebar.voted_info_link"),
budget_ballot_path(@budget))).html_safe %>
budget_ballot_path(@budget)))) %>
</p>
<% end %>
@@ -52,9 +52,9 @@
) %>
<br>
<small>
<%= t("budgets.investments.index.sidebar.change_ballot",
<%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
check_ballot: link_to(t("budgets.investments.index.sidebar.check_ballot_link"),
budget_ballot_path(@budget))).html_safe %>
budget_ballot_path(@budget)))) %>
</small>
</p>
<% else %>

4
app/views/budgets/investments/_votes.html.erb
View File

@@ -31,13 +31,13 @@
<div class="js-participation-not-allowed participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<small>
<%= t("votes.budget_investments.#{reason}",
<%= sanitize(t("votes.budget_investments.#{reason}",
count: investment.group.max_votable_headings,
verify_account: link_to_verify_account,
signin: link_to_signin,
signup: link_to_signup,
supported_headings: (current_user && current_user.headings_voted_within_group(investment.group).map(&:name).sort.to_sentence)
).html_safe %>
)) %>
</small>
</p>
</div>

8
app/views/budgets/show.html.erb
View File

@@ -23,14 +23,14 @@
<%= link_to t("budgets.investments.index.sidebar.create"), new_budget_investment_path(@budget), class: "button margin-top expanded" %>
<% else %>
<div class="callout warning margin-top">
<%= t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.verified_only",
verify: link_to_verify_account)) %>
</div>
<% end %>
<% else %>
<div class="callout primary margin-top">
<%= t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("budgets.investments.index.sidebar.not_logged_in",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</div>
<% end %>
<% end %>

2
app/views/comments/_comment_tree.html.erb
View File

@@ -24,7 +24,7 @@
<% elsif require_verified_resident_for_commentable?(commentable, current_user) %>
<br>
<div data-alert class="callout primary">
<%= t("comments.verified_only", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("comments.verified_only", verify_account: link_to_verify_account)) %>
</div>
<% elsif allow_comments %>
<%= render "comments/form", { commentable: commentable,

4
app/views/comments/_votes.html.erb
View File

@@ -81,9 +81,7 @@
</div>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<%= t("votes.comment_unauthenticated",
signin: link_to_signin,
signup: link_to_signup).html_safe %>
<%= sanitize(t("votes.comment_unauthenticated", signin: link_to_signin, signup: link_to_signup)) %>
</div>
<% end %>
</div>

2
app/views/dashboard/mailer/new_actions_notification_on_create.html.erb
View File

@@ -6,7 +6,7 @@
<p>
<%= t("mailers.new_actions_notification_on_create.text_1") %>
<br>
<%= t("mailers.new_actions_notification_on_create.text_2", link: proposal_dashboard_url(@proposal)).html_safe %>
<%= sanitize(t("mailers.new_actions_notification_on_create.text_2", link: proposal_dashboard_url(@proposal))) %>
</p>
<p><%= t("mailers.new_actions_notification_on_create.text_3") %></p>
<p><%= t("mailers.new_actions_notification_on_create.text_4") %></p>

4
app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb
View File

@@ -10,9 +10,9 @@
title: @proposal.title) %>
</p>
<p>
<%= t("mailers.new_actions_notification_rake_created.text_1",
<%= sanitize(t("mailers.new_actions_notification_rake_created.text_1",
link_to_published: link_to(proposal_dashboard_url(@proposal),
proposal_dashboard_url(@proposal))).html_safe %>
proposal_dashboard_url(@proposal)))) %>
</p>
<p><%= t("mailers.new_actions_notification_rake_created.text_2") %></p>
<br>

2
app/views/debates/_votes.html.erb
View File

@@ -52,7 +52,7 @@
<% elsif user_signed_in? && !debate.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("votes.anonymous", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("votes.anonymous", verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

4
app/views/debates/index.html.erb
View File

@@ -86,8 +86,8 @@
</p>
<p><%= t("debates.index.section_footer.description") %></p>
<p><%= t("debates.index.section_footer.help_text_1") %></p>
<p><%= t("debates.index.section_footer.help_text_2",
org: link_to(setting["org_name"], new_user_registration_path)).html_safe %></p>
<p><%= sanitize(t("debates.index.section_footer.help_text_2",
org: link_to(setting["org_name"], new_user_registration_path))) %></p>
</p>
</div>
<% end %>

4
app/views/debates/new.html.erb
View File

@@ -5,8 +5,8 @@
<h1><%= t("debates.new.start_new") %></h1>
<div data-alert class="callout primary">
<%= t("debates.new.info",
info_link: link_to(t("debates.new.info_link"), new_proposal_path)).html_safe %>
<%= sanitize(t("debates.new.info",
info_link: link_to(t("debates.new.info_link"), new_proposal_path))) %>
<% if feature?(:help_page) %>
<%= link_to help_path, title: t("shared.target_blank"), target: "_blank" do %>

4
app/views/devise/sessions/new.html.erb
View File

@@ -4,8 +4,8 @@
<%= render "devise/omniauth_form" %>
<p>
<%= t("devise_views.shared.links.signup",
signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path)).html_safe %>
<%= sanitize(t("devise_views.shared.links.signup",
signup_link: link_to(t("devise_views.shared.links.signup_link"), new_user_registration_path))) %>
</p>
<%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>

8
app/views/direct_messages/new.html.erb
View File

@@ -9,8 +9,8 @@
<% if not current_user %>
<div class="callout primary">
<p>
<%= t("users.login_to_continue",
signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("users.login_to_continue",
signin: link_to_signin, signup: link_to_signup)) %>
</p>
</div>
<% elsif not @receiver.email_on_direct_message? %>
@@ -33,8 +33,8 @@
<% else %>
<div class="callout warning">
<p>
<%= t("users.direct_messages.new.verified_only",
verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("users.direct_messages.new.verified_only",
verify_account: link_to_verify_account)) %>
</p>
</div>
<% end %>

5
app/views/layouts/_footer.html.erb
View File

@@ -6,10 +6,9 @@
</h1>
<p class="info">
<%= t("layouts.footer.description",
<%= sanitize(t("layouts.footer.description",
open_source: link_to(t("layouts.footer.open_source"), t("layouts.footer.open_source_url"), target: "blank", rel: "nofollow"),
consul: link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow")).html_safe
%>
consul: link_to(t("layouts.footer.consul"), t("layouts.footer.consul_url"), target: "blank", rel: "nofollow"))) %>
<%= t("layouts.footer.contact_us") %>
</p>
</div>

4
app/views/layouts/application.html.erb
View File

@@ -30,12 +30,12 @@
</button>
<h2><%= t("layouts.application.ie_title") %></h2>
<p>
<%= t("layouts.application.ie",
<%= sanitize(t("layouts.application.ie",
chrome: link_to(
t("layouts.application.chrome"), "https://www.google.com/chrome/browser/desktop/", title: t("shared.target_blank"), target: "_blank"),
firefox: link_to(
t("layouts.application.firefox"), "https://www.mozilla.org/firefox", title: t("shared.target_blank"), target: "_blank")
).html_safe %>
)) %>
</p>
</div>
<![endif]-->

4
app/views/legislation/annotations/_comments_box.html.erb
View File

@@ -37,8 +37,8 @@
<div>
<div class="participation-not-allowed" style="display: none;" aria-hidden="false">
<%= t("users.login_to_comment",
signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("users.login_to_comment",
signin: link_to_signin, signup: link_to_signup)) %>
</div>
</div>

4
app/views/legislation/processes/_help_gif.html.erb
View File

@@ -11,8 +11,8 @@
<%= t("annotator.help.alt") %>
<% else %>
<p>
<%= t("annotator.help.text",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("annotator.help.text",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</p>
<% end %>

2
app/views/legislation/proposals/_featured_votes.html.erb
View File

@@ -22,7 +22,7 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

4
app/views/legislation/proposals/_votes.html.erb
View File

@@ -54,8 +54,8 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("legislation.proposals.not_verified",
verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("legislation.proposals.not_verified",
verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

8
app/views/legislation/questions/_participation_not_allowed.html.erb
View File

@@ -7,14 +7,14 @@
<% elsif user_signed_in? && current_user.unverified? %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("legislation.questions.participation.verified_only",
verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("legislation.questions.participation.verified_only",
verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<%= t("legislation.questions.participation.unauthenticated",
signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("legislation.questions.participation.unauthenticated",
signin: link_to_signin, signup: link_to_signup)) %>
</div>
<% elsif !@process.debate_phase.open? %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">

4
app/views/mailer/budget_investment_created.html.erb
View File

@@ -16,8 +16,8 @@
</p>
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
<%= t("mailers.budget_investment_created.follow_html",
link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url)).html_safe %>
<%= sanitize(t("mailers.budget_investment_created.follow_html",
link: link_to(t("mailers.budget_investment_created.follow_link"), budgets_url))) %>
</p>
<table style="width: 100%;">

4
app/views/mailer/direct_message_for_receiver.html.erb
View File

@@ -26,9 +26,9 @@
<tr>
<td style="padding-left: 10px;">
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px; margin: 0; font-style: italic; padding-bottom: 20px;">
<%= t("mailers.direct_message_for_receiver.unsubscribe",
<%= sanitize(t("mailers.direct_message_for_receiver.unsubscribe",
account: link_to(t("mailers.direct_message_for_receiver.unsubscribe_account"),
account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
account_url, style: "color: #2895F1; text-decoration: none;"))) %>
</p>
</td>
</tr>

4
app/views/mailer/proposal_notification_digest.html.erb
View File

@@ -61,9 +61,9 @@
<tr>
<td style="padding-left: 10px;">
<p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px; margin: 0; font-style: italic; padding-bottom: 20px;">
<%= t("mailers.proposal_notification_digest.unsubscribe",
<%= sanitize(t("mailers.proposal_notification_digest.unsubscribe",
account: link_to(t("mailers.proposal_notification_digest.unsubscribe_account"),
account_url, style: "color: #2895F1; text-decoration: none;")).html_safe %>
account_url, style: "color: #2895F1; text-decoration: none;"))) %>
</p>
</td>
</tr>

4
app/views/management/document_verifications/invalid_document.html.erb
View File

@@ -11,6 +11,6 @@
permissions: [:debates, :create_proposals] %>
<p>
<%= t("management.document_verifications.has_no_account_html",
link: link_to(t("management.document_verifications.link"), root_path, target: "_blank")).html_safe %>
<%= sanitize(t("management.document_verifications.has_no_account_html",
link: link_to(t("management.document_verifications.link"), root_path, target: "_blank"))) %>
</p>

4
app/views/pages/help/_budgets.html.erb
View File

@@ -4,8 +4,8 @@
<%= t("pages.help.budgets.title") %>
</h3>
<p>
<%= t("pages.help.budgets.description",
link: link_to(t("pages.help.budgets.link"), budgets_path)).html_safe %>
<%= sanitize(t("pages.help.budgets.description",
link: link_to(t("pages.help.budgets.link"), budgets_path))) %>
</p>
<figure>

8
app/views/pages/help/_debates.html.erb
View File

@@ -4,16 +4,16 @@
<%= t("pages.help.debates.title") %>
</h3>
<p>
<%= t("pages.help.debates.description",
<%= sanitize(t("pages.help.debates.description",
org: setting["org_name"],
link: link_to(t("pages.help.debates.link"),
debates_path)).html_safe %>
debates_path))) %>
</p>
<ul class="features">
<li>
<%= t("pages.help.debates.feature_html",
<%= sanitize(t("pages.help.debates.feature_html",
link: link_to(t("pages.help.debates.feature_link", org: setting["org_name"]),
new_user_registration_path)).html_safe %>
new_user_registration_path))) %>
</li>
</ul>

8
app/views/pages/help/_polls.html.erb
View File

@@ -2,14 +2,14 @@
<div class="small-12 column">
<h3 id="polls" data-magellan-target="polls"><%= t("pages.help.polls.title") %></h3>
<p>
<%= t("pages.help.polls.description",
link: link_to(t("pages.help.polls.link"), polls_path)).html_safe %>
<%= sanitize(t("pages.help.polls.description",
link: link_to(t("pages.help.polls.link"), polls_path))) %>
</p>
<ul class="features">
<li>
<%= t("pages.help.polls.feature_1",
<%= sanitize(t("pages.help.polls.feature_1",
link: link_to(t("pages.help.polls.feature_1_link", org_name: setting["org_name"]),
new_user_registration_path)).html_safe %>
new_user_registration_path))) %>
</li>
</ul>
</div>

2
app/views/pages/help/_processes.html.erb
View File

@@ -6,7 +6,7 @@
<p>
<% link = link_to(t("pages.help.processes.link"), legislation_processes_path) %>
<%= t("pages.help.processes.description", link: link).html_safe %>
<%= sanitize(t("pages.help.processes.description", link: link)) %>
</p>
<ul class="features">
<li>

4
app/views/pages/help/_proposals.html.erb
View File

@@ -4,8 +4,8 @@
<%= t("pages.help.proposals.title") %>
</h3>
<p>
<%= t("pages.help.proposals.description",
link: link_to(t("pages.help.proposals.link"), proposals_path)).html_safe %>
<%= sanitize(t("pages.help.proposals.description",
link: link_to(t("pages.help.proposals.link"), proposals_path))) %>
</p>
<figure>

4
app/views/polls/_callout.html.erb
View File

@@ -1,9 +1,9 @@
<% unless can?(:answer, @poll) %>
<% if current_user.nil? %>
<div class="callout primary">
<%= t("polls.show.cant_answer_not_logged_in",
<%= sanitize(t("polls.show.cant_answer_not_logged_in",
signin: link_to_signin(class: "probe-message"),
signup: link_to_signup(class: "probe-message")).html_safe %>
signup: link_to_signup(class: "probe-message"))) %>
</div>
<% elsif current_user.unverified? %>
<div class="callout warning">

4
app/views/proposal_notifications/new.html.erb
View File

@@ -6,10 +6,10 @@
<div class="callout primary">
<p>
<%= t("proposal_notifications.new.info_about_receivers_html",
<%= sanitize(t("proposal_notifications.new.info_about_receivers_html",
count: @proposal.users_to_notify.count,
proposal_page: link_to(t("proposal_notifications.new.proposal_page"),
proposal_path(@proposal, anchor: "comments"))).html_safe %>
proposal_path(@proposal, anchor: "comments")))) %>
</p>
</div>
</div>

2
app/views/proposals/_featured_votes.html.erb
View File

@@ -22,7 +22,7 @@
<% elsif user_signed_in? && !proposal.votable_by?(current_user) %>
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
</p>
</div>
<% elsif !user_signed_in? %>

2
app/views/proposals/_votes.html.erb
View File

@@ -29,7 +29,7 @@
<div tabindex="0">
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<p>
<%= t("votes.verified_only", verify_account: link_to_verify_account).html_safe %>
<%= sanitize(t("votes.verified_only", verify_account: link_to_verify_account)) %>
</p>
</div>
</div>

2
app/views/shared/_login_to_comment.html.erb
View File

@@ -1,3 +1,3 @@
<div data-alert class="callout primary">
<%= t("users.login_to_comment", signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("users.login_to_comment", signin: link_to_signin, signup: link_to_signup)) %>
</div>

2
app/views/shared/_login_to_vote.html.erb
View File

@@ -1,3 +1,3 @@
<div class="participation-not-allowed" style="display:none" aria-hidden="false">
<%= t("users.login_to_continue", signin: link_to_signin, signup: link_to_signup).html_safe %>
<%= sanitize(t("users.login_to_continue", signin: link_to_signin, signup: link_to_signup)) %>
</div>

4
app/views/topics/_informative_text.html.erb
View File

@@ -6,7 +6,7 @@
</div>
<% else %>
<div class="callout primary">
<%= t("community.show.create_first_community_topic.sub_first_theme",
sign_in: link_to_signin, sign_up: link_to_signup).html_safe %>
<%= sanitize(t("community.show.create_first_community_topic.sub_first_theme",
sign_in: link_to_signin, sign_up: link_to_signup)) %>
</div>
<% end %>

4
app/views/users/registrations/new.html.erb
View File

@@ -7,8 +7,8 @@
<%= render "shared/errors", resource: resource %>
<p>
<%= t("devise_views.users.registrations.new.organization_signup",
signup_link: link_to(t("devise_views.users.registrations.new.organization_signup_link"), new_organization_registration_path)).html_safe %>
<%= sanitize(t("devise_views.users.registrations.new.organization_signup",
signup_link: link_to(t("devise_views.users.registrations.new.organization_signup_link"), new_organization_registration_path))) %>
</p>
<div class="row">

9
spec/features/xss_spec.rb
View File

@@ -40,6 +40,15 @@ describe "Cross-Site Scripting protection", :js do
expect(page.text).not_to be_empty
end
scenario "link to sign in" do
I18nContent.create(key: "budgets.investments.index.sidebar.not_logged_in", value: attack_code)
create(:budget, phase: "accepting")
visit budgets_path
expect(page.text).not_to be_empty
end
scenario "proposal actions in dashboard" do
proposal = create(:proposal)

4
spec/mailers/dashboard/mailer_spec.rb
View File

@@ -182,8 +182,8 @@ describe Dashboard::Mailer do
"successfully created.")
expect(email).to have_body_text("Take advantage that your proposal is not public yet and "\
"get ready to contact a lot of people.")
expect(email).to have_body_text(I18n.t("mailers.new_actions_notification_on_create.text_2",
link: proposal_dashboard_url(proposal)).html_safe)
expect(email).to have_body_text("When you are ready publish your citizen proposal from this")
expect(email).to have_link "link", href: proposal_dashboard_url(proposal)
expect(email).to have_body_text("We know that creating a proposal with a hook and getting "\
"the necessary support can seem complicated. But dont "\
"worry because we are going to help you!")