From 61bf9a5c7307f9ffbed4519dee15d0bb90ccfea7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 2 Oct 2019 17:06:49 +0200
Subject: [PATCH] Use `sanitize` instead of `html_safe`

The difference is `html_safe` allows every HTML tag, including the
`<script>` tag, while `sanitize` only allows tags which are considered
safe. In this case, we want to allow a `<span>` tag in a translation,
and links inside flash messages.
---
 app/views/budgets/ballot/_ballot.html.erb | 4 ++--
 app/views/kaminari/_gap.html.erb          | 2 +-
 app/views/layouts/_flash.html.erb         | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/views/budgets/ballot/_ballot.html.erb b/app/views/budgets/ballot/_ballot.html.erb
index fc5d9a128..c29a2b4f0 100644
--- a/app/views/budgets/ballot/_ballot.html.erb
+++ b/app/views/budgets/ballot/_ballot.html.erb
@@ -26,8 +26,8 @@
           <h3>
             <%= group.name %> - <%= @ballot.heading_for_group(group).name %>
           </h3>
-          <%= link_to t("budgets.ballots.show.remaining",
-                      amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group))).html_safe,
+          <%= link_to sanitize(t("budgets.ballots.show.remaining",
+                      amount: @ballot.formatted_amount_available(@ballot.heading_for_group(group)))),
                       budget_group_path(@budget, group) %>
         </div>
         <% if @ballot.has_lines_in_group?(group) %>
diff --git a/app/views/kaminari/_gap.html.erb b/app/views/kaminari/_gap.html.erb
index fc2dbed0f..f5932a473 100644
--- a/app/views/kaminari/_gap.html.erb
+++ b/app/views/kaminari/_gap.html.erb
@@ -1,3 +1,3 @@
 <li class="ellipsis" aria-hidden="true">
-  <%= t("views.pagination.truncate").html_safe %>
+  <%= sanitize(t("views.pagination.truncate")) %>
 </li>
diff --git a/app/views/layouts/_flash.html.erb b/app/views/layouts/_flash.html.erb
index a0f129224..6f881eeba 100644
--- a/app/views/layouts/_flash.html.erb
+++ b/app/views/layouts/_flash.html.erb
@@ -5,7 +5,7 @@
         <span aria-hidden="true">&times;</span>
       </button>
       <div class="notice-text">
-        <%= flash_message.try(:html_safe) %>
+        <%= sanitize(flash_message) %>
       </div>
     </div>
   </div>