Use attributes in translations with sanitize

There's a slight chance an attribute like an author's name might contain an attempt to perform XSS attacks. So, instead of marking the whole text as HTML safe, we can sanitize it. Also note I'm removing the `_html` suffix in the i18n key, since it's got the same effect as using `html_safe`.
2019-10-02 02:18:48 +02:00
parent 75a28fafcb
commit 56f690b8a9
3 changed files with 8 additions and 8 deletions
--- a/app/views/mailer/budget_investment_created.html.erb
+++ b/app/views/mailer/budget_investment_created.html.erb
@@ -5,14 +5,14 @@
  </h1>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.budget_investment_created.intro_html",
-           author: @investment.author.name).html_safe %>
+    <%= sanitize(t("mailers.budget_investment_created.intro",
+           author: @investment.author.name)) %>
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.budget_investment_created.text_html",
+    <%= sanitize(t("mailers.budget_investment_created.text",
           investment: @investment.title,
-           budget: @investment.budget.name).html_safe %>
+           budget: @investment.budget.name)) %>
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">