Remove unneeded html_safe and raw calls

There's no HTML in these texts, or it has already been escaped by Rails `link_to` helper method.
2019-10-02 02:24:25 +02:00
parent 2c80c05372
commit 20ca6beb30
10 changed files with 25 additions and 10 deletions
--- a/app/controllers/direct_uploads_controller.rb
+++ b/app/controllers/direct_uploads_controller.rb
@@ -17,7 +17,7 @@ class DirectUploadsController < ApplicationController

      render json: { cached_attachment: @direct_upload.relation.cached_attachment,
                     filename: @direct_upload.relation.attachment.original_filename,
-                     destroy_link: render_destroy_upload_link(@direct_upload).html_safe,
+                     destroy_link: render_destroy_upload_link(@direct_upload),
                     attachment_url: @direct_upload.relation.attachment.url }
    else
      @direct_upload.destroy_attachment
--- a/app/views/admin/budget_investments/_select_investment.html.erb
+++ b/app/views/admin/budget_investments/_select_investment.html.erb
@@ -31,7 +31,7 @@
 <td class="small" data-field="valuator">
  <% valuators = [investment.assigned_valuation_groups, investment.assigned_valuators].compact %>
  <% no_valuators_assigned = t("admin.budget_investments.index.no_valuators_assigned") %>
-  <%= raw valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
+  <%= valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
 </td>

 <td class="small" data-field="geozone">
--- a/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
@@ -36,7 +36,7 @@
    <ul>
      <li><%= first_proposed_action.title %></li>
      <% if first_proposed_action.short_description.present? %>
-        <p><%= first_proposed_action.short_description.html_safe %></p>
+        <p><%= first_proposed_action.short_description %></p>
      <% end %>
    </ul>
  <% end %>
--- a/app/views/kaminari/_first_page.html.erb
+++ b/app/views/kaminari/_first_page.html.erb
@@ -1,3 +1,3 @@
 <li>
-  <%= link_to t("views.pagination.first").html_safe, kaminari_path(url), :remote => remote %>
+  <%= link_to t("views.pagination.first"), kaminari_path(url), :remote => remote %>
 </li>
--- a/app/views/kaminari/_last_page.html.erb
+++ b/app/views/kaminari/_last_page.html.erb
@@ -1,3 +1,3 @@
 <li>
-  <%= link_to t("views.pagination.last").html_safe, kaminari_path(url), :remote => remote %>
+  <%= link_to t("views.pagination.last"), kaminari_path(url), :remote => remote %>
 </li>
--- a/app/views/kaminari/_next_page.html.erb
+++ b/app/views/kaminari/_next_page.html.erb
@@ -1,3 +1,3 @@
 <li class="pagination-next">
-  <%= link_to t("views.pagination.next").html_safe, kaminari_path(url), :rel => "next", :remote => remote %>
+  <%= link_to t("views.pagination.next"), kaminari_path(url), :rel => "next", :remote => remote %>
 </li>
--- a/app/views/kaminari/_prev_page.html.erb
+++ b/app/views/kaminari/_prev_page.html.erb
@@ -1,3 +1,3 @@
 <li class="pagination-previous">
-  <%= link_to t("views.pagination.previous").html_safe, kaminari_path(url), :rel => "prev", :remote => remote %>
+  <%= link_to t("views.pagination.previous"), kaminari_path(url), :rel => "prev", :remote => remote %>
 </li>
--- a/app/views/layouts/_footer.html.erb
+++ b/app/views/layouts/_footer.html.erb
@@ -2,7 +2,7 @@
  <div class="row">
    <div class="small-12 large-4 column">
      <h1 class="logo">
-        <%= link_to t("layouts.header.open_gov", open: "#{t("layouts.header.open")}").html_safe %>
+        <%= link_to t("layouts.header.open_gov", open: t("layouts.header.open")), root_path %>
      </h1>

      <p class="info">
--- a/app/views/layouts/_notification_item.html.erb
+++ b/app/views/layouts/_notification_item.html.erb
@@ -10,11 +10,11 @@
        <span class="icon-circle" aria-hidden="true"></span>
        <span class="icon-notification" aria-hidden="true"
              title="<%= t("layouts.header.notification_item.new_notifications",
-                         count: current_user.notifications_count).html_safe %>">
+                         count: current_user.notifications_count) %>">
        </span>
        <span class="show-for-small-only">
          <%= t("layouts.header.notification_item.new_notifications",
-              count: current_user.notifications_count).html_safe %>
+              count: current_user.notifications_count) %>
        </span>
      <% else %>
        <span class="icon-no-notification" aria-hidden="true"
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -0,0 +1,15 @@
+require "rails_helper"
+
+describe "Cross-Site Scripting protection", :js do
+  let(:attack_code) { "<script>document.body.remove()</script>" }
+
+  scenario "valuators in admin investments index" do
+    hacker = create(:user, username: attack_code)
+    investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)])
+
+    login_as(create(:administrator).user)
+    visit admin_budget_budget_investments_path(investment.budget)
+
+    expect(page.text).not_to be_empty
+  end
+end