Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/helpers/globalize_helper.rb
+++ b/app/helpers/globalize_helper.rb
@@ -64,7 +64,7 @@ module GlobalizeHelper
  end

  def selected_languages_description(resource)
-    t("shared.translations.languages_in_use_html", count: active_languages_count(resource))
+    sanitize(t("shared.translations.languages_in_use", count: active_languages_count(resource)))
  end

  def select_language_error(resource)
--- a/app/views/admin/budget_investments/_filters_description.html.erb
+++ b/app/views/admin/budget_investments/_filters_description.html.erb
@@ -1,16 +1,16 @@
 <% if params[:filter].present? && params[:advanced_filters].present? %>
-  <p class="inline-block"><%= t("#{i18n_namespace}.filters.two_filters_html",
+  <p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.two_filters",
                              filter: t("#{i18n_namespace}.filters.#{params[:filter]}"),
-                              advanced_filters: budget_investments_advanced_filters(params[:advanced_filters])) %></p>
+                              advanced_filters: budget_investments_advanced_filters(params[:advanced_filters]))) %></p>

 <% elsif params[:filter].present? %>

-  <p class="inline-block"><%= t("#{i18n_namespace}.filters.one_filter_html",
-                              filter: t("#{i18n_namespace}.filters.#{params[:filter]}")) %></p>
+  <p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.one_filter",
+                              filter: t("#{i18n_namespace}.filters.#{params[:filter]}"))) %></p>

 <% elsif params[:advanced_filters].present? %>

-  <p class="inline-block"><%= t("#{i18n_namespace}.filters.one_filter_html",
-                              filter: budget_investments_advanced_filters(params[:advanced_filters])) %></p>
+  <p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.one_filter",
+                              filter: budget_investments_advanced_filters(params[:advanced_filters]))) %></p>

 <% end %>
--- a/app/views/admin/legislation/draft_versions/_form.html.erb
+++ b/app/views/admin/legislation/draft_versions/_form.html.erb
@@ -36,9 +36,9 @@
      <div class="markdown-editor clear">
        <div class="small-12 medium-8 column fullscreen-container">
          <div class="markdown-editor-header truncate">
-            <%= t("admin.legislation.draft_versions.form.title_html",
+            <%= sanitize(t("admin.legislation.draft_versions.form.title",
                   draft_version_title: @draft_version.title,
-                   process_title: @process.title) %>
+                   process_title: @process.title)) %>
          </div>

          <div class="markdown-editor-buttons">
--- a/app/views/admin/newsletters/new.html.erb
+++ b/app/views/admin/newsletters/new.html.erb
@@ -1,9 +1,9 @@
 <%= back_link_to %>
 <h2><%= t("admin.newsletters.new.title") %></h2>
 <p>
-  <%= t("admin.newsletters.new.header_footer_help_text_html",
+  <%= sanitize(t("admin.newsletters.new.header_footer_help_text",
         link: link_to(t("admin.newsletters.new.image_link"),
-                       admin_site_customization_images_path)) %>
+                       admin_site_customization_images_path))) %>
 </p>

 <%= render "form" %>
--- a/app/views/admin/organizations/index.html.erb
+++ b/app/views/admin/organizations/index.html.erb
@@ -67,7 +67,7 @@

  <% if hidden > 0 %>
    <div class="callout warning">
-      <%= t("admin.organizations.index.hidden_count_html", count: hidden) %>
+      <%= sanitize(t("admin.organizations.index.hidden_count", count: hidden)) %>
    </div>
  <% end %>

--- a/app/views/admin/site_customization/pages/_form.html.erb
+++ b/app/views/admin/site_customization/pages/_form.html.erb
@@ -32,7 +32,7 @@

    <div class="small-12 medium-6 column">
      <%= f.text_field :slug, size: 80, maxlength: 80,
-        hint: t("admin.site_customization.pages.new.slug_help_html") %>
+        hint: sanitize(t("admin.site_customization.pages.new.slug_help")) %>
    </div>
  </div>

--- a/app/views/budgets/ballot/_ballot.html.erb
+++ b/app/views/budgets/ballot/_ballot.html.erb
@@ -6,8 +6,7 @@

    <div class="small-12 medium-8 column small-centered text-center">
      <h2>
-        <%= t("budgets.ballots.show.voted_html",
-            count: @ballot.investments.count) %>
+        <%= sanitize(t("budgets.ballots.show.voted", count: @ballot.investments.count)) %>
      </h2>
      <p class="confirmed">
        <%= t("budgets.ballots.show.voted_info") %>
--- a/app/views/budgets/investments/_header.html.erb
+++ b/app/views/budgets/investments/_header.html.erb
@@ -36,8 +36,8 @@
              </h2>
              <div class="small-12 medium-9">
                <div class="callout warning margin-top">
-                  <%= t("budgets.investments.header.different_heading_assigned_html",
-                        heading_link: heading_link(@assigned_heading, @budget)) %>
+                  <%= sanitize(t("budgets.investments.header.different_heading_assigned",
+                        heading_link: heading_link(@assigned_heading, @budget))) %>
                  <br>
                  <small>
                    <%= sanitize(t("budgets.investments.header.change_ballot",
--- a/app/views/budgets/investments/_investment_detail.erb
+++ b/app/views/budgets/investments/_investment_detail.erb
@@ -19,7 +19,7 @@
 <%= render_image(investment.image, :large, true) if investment.image.present? %>

 <p id="investment_code">
-  <%= t("budgets.investments.show.code_html", code: investment.id) %>
+  <%= sanitize(t("budgets.investments.show.code", code: investment.id)) %>
 </p>

 <%= auto_link_already_sanitized_html investment.description %>
@@ -32,13 +32,13 @@

 <% if investment.location.present? %>
  <p>
-    <%= t("budgets.investments.show.location_html", location: investment.location) %>
+    <%= sanitize(t("budgets.investments.show.location", location: investment.location)) %>
  </p>
 <% end %>

 <% if investment.organization_name.present? %>
  <p>
-    <%= t("budgets.investments.show.organization_name_html", name: investment.organization_name) %>
+    <%= sanitize(t("budgets.investments.show.organization_name", name: investment.organization_name)) %>
  </p>
 <% end %>

--- a/app/views/budgets/investments/_investment_show.html.erb
+++ b/app/views/budgets/investments/_investment_show.html.erb
@@ -75,7 +75,7 @@

        <% if investment.unfeasible? && investment.valuation_finished? %>
          <div class="callout warning">
-            <%= t("budgets.investments.show.project_unfeasible_html") %>
+            <%= sanitize(t("budgets.investments.show.project_unfeasible")) %>
          </div>
        <% elsif investment.winner? && @budget.finished? %>
          <div class="callout success">
@@ -83,11 +83,11 @@
          </div>
        <% elsif investment.selected? %>
          <div class="callout success">
-            <%= t("budgets.investments.show.project_selected_html") %>
+            <%= sanitize(t("budgets.investments.show.project_selected")) %>
          </div>
        <% elsif @budget.balloting_or_later? %>
          <div class="callout warning">
-            <%= t("budgets.investments.show.project_not_selected_html") %>
+            <%= sanitize(t("budgets.investments.show.project_not_selected")) %>
          </div>
        <% else %>
          <br>
--- a/app/views/budgets/investments/_sidebar.html.erb
+++ b/app/views/budgets/investments/_sidebar.html.erb
@@ -40,16 +40,16 @@
  <% if @ballot.investments.by_heading(@heading.id).count > 0 %>
    <p>
      <em>
-        <%= t("budgets.investments.index.sidebar.voted_html",
+        <%= sanitize(t("budgets.investments.index.sidebar.voted",
            count: @ballot.investments.by_heading(@heading.id).count,
-            amount_spent: @ballot.formatted_amount_spent(@heading)) %>
+            amount_spent: @ballot.formatted_amount_spent(@heading))) %>
      </em>
    </p>
  <% elsif @assigned_heading.present? %>
    <p>
-      <%= t("budgets.investments.index.sidebar.different_heading_assigned_html",
+      <%= sanitize(t("budgets.investments.index.sidebar.different_heading_assigned",
              heading_link: heading_link(@assigned_heading, @budget)
-            ) %>
+            )) %>
      <br>
      <small>
        <%= sanitize(t("budgets.investments.index.sidebar.change_ballot",
--- a/app/views/budgets/investments/index.html.erb
+++ b/app/views/budgets/investments/index.html.erb
@@ -28,9 +28,9 @@
          <h2><%= t("shared.search_results") %></h2>
          <p>
            <%= page_entries_info @investments %>
-            <%= t("budgets.investments.index.search_results_html",
+            <%= sanitize(t("budgets.investments.index.search_results",
                   count: @investments.size,
-                   search_term: params[:search]) %>
+                   search_term: params[:search])) %>
          </p>
        </div>
      </div>
--- a/app/views/budgets/stats/_advanced_stats.html.erb
+++ b/app/views/budgets/stats/_advanced_stats.html.erb
@@ -34,7 +34,7 @@
      <thead>
        <tr>
          <th scope="col" rowspan="2"><%= t("stats.budgets.heading") %></th>
-          <th scope="col" rowspan="2"><%= t("stats.budgets.investments_sent_html") %></th>
+          <th scope="col" rowspan="2"><%= sanitize(t("stats.budgets.investments_sent")) %></th>

          <% stats.all_phases.each do |phase| %>
            <th scope="col" colspan="3">
--- a/app/views/dashboard/mailer/forward.html.erb
+++ b/app/views/dashboard/mailer/forward.html.erb
@@ -8,7 +8,7 @@
          <%= image_tag "quote_before_white.png", style: "max-width: 40px; vertical-align: top;" %>
          <h1 style="color: #fff; font-size: 60px; line-height: 90px; display: inline;"><%= @proposal.title %></h1>
          <%= image_tag "quote_after_white.png", style: "max-width: 40px; vertical-align: top;" %>
-          <h2 style="color: #fff; font-size: 40px; line-height: 60px"><%= t("dashboard.mailer.forward.subtitle_html") %></h2>
+          <h2 style="color: #fff; font-size: 40px; line-height: 60px"><%= sanitize(t("dashboard.mailer.forward.subtitle")) %></h2>
        </td>
      </tr>
    </tbody>
--- a/app/views/dashboard/mailing/index.html.erb
+++ b/app/views/dashboard/mailing/index.html.erb
@@ -5,7 +5,7 @@
      <%= image_tag "quote_before_white.png" %>
      <h1 class="inline"><%= proposal.title %></h1>
      <%= image_tag "quote_after_white.png" %>
-      <h2><%= t("dashboard.mailer.forward.subtitle_html") %></h2>
+      <h2><%= sanitize(t("dashboard.mailer.forward.subtitle")) %></h2>
    </div>

    <div class="margin-bottom">
--- a/app/views/dashboard/poster/index.html.erb
+++ b/app/views/dashboard/poster/index.html.erb
@@ -10,7 +10,7 @@
          <%= t("dashboard.poster.index.poster_subtitle") %>
        </h1>
        <p class="intro">
-          <%= t("dashboard.poster.index.intro_text_html", org: Setting["org_name"]) %>
+          <%= sanitize(t("dashboard.poster.index.intro_text", org: Setting["org_name"])) %>
        </p>

        <p class="text-center">
@@ -29,7 +29,7 @@
            <h3><%= proposal.title %></h3>
            <%= image_tag "quote_after_blue.png" %>
          <p class="poster-footer">
-            <%= t("dashboard.poster.index.footer_html", link: proposal_url(proposal)) %>
+            <%= sanitize(t("dashboard.poster.index.footer", link: proposal_url(proposal))) %>
          </p>
        </div>
      </div>
--- a/app/views/dashboard/poster/index.pdf.erb
+++ b/app/views/dashboard/poster/index.pdf.erb
@@ -16,7 +16,7 @@
      </strong>
    </h1>
    <p class="intro">
-      <%= t("dashboard.poster.index.intro_text_html", org: Setting["org_name"]) %>
+      <%= sanitize(t("dashboard.poster.index.intro_text", org: Setting["org_name"])) %>
    </p>
    <p class="text-center proposal-code">
      <strong><%= t("dashboard.poster.index.proposal_code", code: proposal.code) %></strong>
@@ -34,7 +34,7 @@
      <h3><strong><%= proposal.title %></strong></h3>
      <%= wicked_pdf_image_tag "quote_after_blue.png" %>
      <p class="poster-footer">
-        <%= t("dashboard.poster.index.footer_html", link: proposal_url(proposal)) %>
+        <%= sanitize(t("dashboard.poster.index.footer", link: proposal_url(proposal))) %>
      </p>
    </div>
  </div>
--- a/app/views/debates/index.html.erb
+++ b/app/views/debates/index.html.erb
@@ -18,7 +18,9 @@
            <p>
              <%= page_entries_info @debates %>
              <% if !@advanced_search_terms %>
-                <%= t("debates.index.search_results_html", count: @debates.size, search_term: @search_terms) %>
+                <%= sanitize(
+                  t("debates.index.search_results", count: @debates.size, search_term: @search_terms)
+                ) %>
              <% end %>
            </p>
          <% elsif @tag_filter %>
--- a/app/views/devise/confirmations/show.html.erb
+++ b/app/views/devise/confirmations/show.html.erb
@@ -1,7 +1,7 @@
 <% provide :title do %><%= t("devise_views.confirmations.show.title") %><% end %>
 <h1 class="text-center"><%= t("devise_views.confirmations.show.title") %></h1>

-<p><%= t("devise_views.confirmations.show.instructions_html", email: resource.email) %></p>
+<p><%= sanitize(t("devise_views.confirmations.show.instructions", email: resource.email)) %></p>

 <%= form_for(resource,
             as: resource_name,
--- a/app/views/documents/_nested_documents.html.erb
+++ b/app/views/documents/_nested_documents.html.erb
@@ -18,6 +18,6 @@
                              } %>

  <div id="max-documents-notice" class="max-documents-notice callout primary text-center <%= "hide" unless max_documents_allowed?(documentable) %>">
-    <%= t "documents.max_documents_allowed_reached_html" %>
+    <%= sanitize(t("documents.max_documents_allowed_reached")) %>
  </div>
 </div>
--- a/app/views/mailer/budget_investment_unfeasible.html.erb
+++ b/app/views/mailer/budget_investment_unfeasible.html.erb
@@ -9,9 +9,9 @@
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-  <%= t("mailers.budget_investment_unfeasible.new_html",
+  <%= sanitize(t("mailers.budget_investment_unfeasible.new",
      url: link_to(t("mailers.budget_investment_unfeasible.new_href"),
-      new_budget_investment_url(@investment.budget), style: "color: #2895F1; text-decoration: underline;")) %>
+      new_budget_investment_url(@investment.budget), style: "color: #2895F1; text-decoration: underline;"))) %>
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
--- a/app/views/mailer/comment.html.erb
+++ b/app/views/mailer/comment.html.erb
@@ -9,7 +9,8 @@
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.comment.new_comment_by_html", commenter: @comment.author.name) %> <%= link_to @commentable.title, commentable_url(@commentable), style: "color: #2895F1; text-decoration:none;" %>
+    <%= sanitize(t("mailers.comment.new_comment_by", commenter: @comment.author.name)) %>
+    <%= link_to @commentable.title, commentable_url(@commentable), style: "color: #2895F1; text-decoration:none;" %>
  </p>

  <p style="border-left: 2px solid #DEE0E3;font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-style: italic;font-weight: normal;line-height: 24px;margin-left: 20px;padding: 10px;">
--- a/app/views/mailer/direct_message_for_sender.html.erb
+++ b/app/views/mailer/direct_message_for_sender.html.erb
@@ -1,8 +1,8 @@
 <td style="padding-bottom: 20px; padding-left: 10px;">

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif; font-size: 20px;">
-    <%= t("mailers.direct_message_for_sender.title_html",
-        receiver: @direct_message.receiver.name) %>
+    <%= sanitize(t("mailers.direct_message_for_sender.title",
+        receiver: @direct_message.receiver.name)) %>
  </p>

  <h2 style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif; font-size: 18px;">
--- a/app/views/mailer/email_verification.html.erb
+++ b/app/views/mailer/email_verification.html.erb
@@ -4,16 +4,16 @@
  </h1>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-  <%= t("mailers.email_verification.instructions_html",
+  <%= sanitize(t("mailers.email_verification.instructions",
        verification_link: link_to(
          t("mailers.email_verification.click_here_to_verify"),
-          email_url(email_verification_token: @token))) %>
+          email_url(email_verification_token: @token)))) %>
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-  <%= t("mailers.email_verification.instructions_2_html",
+  <%= sanitize(t("mailers.email_verification.instructions_2",
        document_type: humanize_document_type(@document_type),
-        document_number: @document_number) %>
+        document_number: @document_number)) %>
  </p>
  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
    <%= t("mailers.email_verification.thanks") %>
--- a/app/views/mailer/evaluation_comment.html.erb
+++ b/app/views/mailer/evaluation_comment.html.erb
@@ -9,7 +9,11 @@
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.evaluation_comment.new_comment_by_html", commenter: @email.comment.author.name, investment: valuation_comments_link(@email.commentable)) %>
+    <%= sanitize(t(
+      "mailers.evaluation_comment.new_comment_by",
+      commenter: @email.comment.author.name,
+      investment: valuation_comments_link(@email.commentable)
+    )) %>
  </p>

  <%= t("mailers.evaluation_comment.commenter_info", commenter: @email.comment.author.name, time: l(@email.comment.created_at)) %>
--- a/app/views/mailer/reply.html.erb
+++ b/app/views/mailer/reply.html.erb
@@ -9,7 +9,8 @@
  </p>

  <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.reply.new_reply_by_html", commenter: @email.reply.author.name) %> <%= link_to @email.commentable.title, comment_url(@email.reply.id), style: "color: #2895F1; text-decoration:none;" %>
+    <%= sanitize(t("mailers.reply.new_reply_by", commenter: @email.reply.author.name)) %>
+    <%= link_to @email.commentable.title, comment_url(@email.reply.id), style: "color: #2895F1; text-decoration:none;" %>
  </p>

  <div style="border-left: 2px solid #DEE0E3;font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-style: italic;font-weight: normal;line-height: 24px;margin-left: 20px;padding: 10px;">
--- a/app/views/management/proposals/index.html.erb
+++ b/app/views/management/proposals/index.html.erb
@@ -10,7 +10,9 @@
        <% if @search_terms %>
          <h3>
            <%= page_entries_info @proposals %>
-            <%= t("proposals.index.search_results_html", count: @proposals.size, search_term: @search_terms) %>
+            <%= sanitize(
+              t("proposals.index.search_results", count: @proposals.size, search_term: @search_terms)
+            ) %>
          </h3>
        <% end %>

--- a/app/views/management/user_invites/create.html.erb
+++ b/app/views/management/user_invites/create.html.erb
@@ -4,6 +4,6 @@
  <h2><%= t("management.user_invites.create.title") %></h2>

  <div class="callout success">
-    <%= t("management.user_invites.create.success_html", count: @emails.count) %>
+    <%= sanitize(t("management.user_invites.create.success", count: @emails.count)) %>
  </div>
 </div>
--- a/app/views/management/users/show.html.erb
+++ b/app/views/management/users/show.html.erb
@@ -1,7 +1,7 @@
 <% if @user.email.blank? %>
-  <p><%= t("management.users.autogenerated_password_html", password: @user.password) %></p>
+  <p><%= sanitize(t("management.users.autogenerated_password", password: @user.password)) %></p>
 <% else %>
-  <p><%= t("management.users.create_user_success_html", email: @user.email) %></p>
+  <p><%= sanitize(t("management.users.create_user_success", email: @user.email)) %></p>
 <% end %>

 <%= render "management/user_permissions",
--- a/app/views/organizations/registrations/success.html.erb
+++ b/app/views/organizations/registrations/success.html.erb
@@ -1,7 +1,7 @@
 <h2><%= t("devise_views.organizations.registrations.success.title") %></h2>
-<p><%= t("devise_views.organizations.registrations.success.thank_you_html") %></p>
-<p><%= t("devise_views.organizations.registrations.success.instructions_1_html") %></p>
-<p><%= t("devise_views.organizations.registrations.success.instructions_2_html") %></p>
+<p><%= sanitize(t("devise_views.organizations.registrations.success.thank_you")) %></p>
+<p><%= sanitize(t("devise_views.organizations.registrations.success.instructions_1")) %></p>
+<p><%= sanitize(t("devise_views.organizations.registrations.success.instructions_2")) %></p>
 <p><%= t("devise_views.organizations.registrations.success.instructions_3") %></p>
 <p>
  <%= link_to t("devise_views.organizations.registrations.success.back_to_index"),
--- a/app/views/polls/_callout.html.erb
+++ b/app/views/polls/_callout.html.erb
@@ -7,8 +7,8 @@
    </div>
  <% elsif current_user.unverified? %>
    <div class="callout warning">
-      <%= t("polls.show.cant_answer_verify_html",
-            verify_link: link_to(t("polls.show.verify_link"), verification_path)) %>
+      <%= sanitize(t("polls.show.cant_answer_verify",
+            verify_link: link_to(t("polls.show.verify_link"), verification_path))) %>
    </div>
  <% elsif @poll.expired? %>
    <div class="callout alert">
--- a/app/views/proposals/created.html.erb
+++ b/app/views/proposals/created.html.erb
@@ -4,7 +4,7 @@
      <h2><%= t("proposals.created.title") %></h2>

      <p><%= t("proposals.created.motivation") %></p>
-      <p><%= t("proposals.created.motivation_2_html") %></p>
+      <p><%= sanitize(t("proposals.created.motivation_2")) %></p>

      <% if can?(:dashboard, @proposal) %>
        <%= link_to t("proposals.created.dashboard"),
--- a/app/views/proposals/index.html.erb
+++ b/app/views/proposals/index.html.erb
@@ -24,7 +24,9 @@
            <p>
              <%= page_entries_info @proposals %>
              <% if !@advanced_search_terms %>
-                <%= t("proposals.index.search_results_html", count: @proposals.size, search_term: @search_terms) %>
+                <%= sanitize(
+                  t("proposals.index.search_results", count: @proposals.size, search_term: @search_terms)
+                ) %>
              <% end %>
            <p>
          <% elsif @tag_filter %>
--- a/app/views/shared/_common_globalize_locales.html.erb
+++ b/app/views/shared/_common_globalize_locales.html.erb
@@ -1,7 +1,7 @@
 <div class="row globalize-languages column padding-top <%= highlight_translation_html_class %>"
-     data-zero-languages-description="<%= t("shared.translations.languages_in_use_html", count: 0) %>"
-     data-one-languages-description="<%= t("shared.translations.languages_in_use_html", count: 1) %>"
-     data-other-languages-description="<%= t("shared.translations.languages_in_use_html", count: 2) %>">
+     data-zero-languages-description="<%= sanitize(t("shared.translations.languages_in_use", count: 0)) %>"
+     data-one-languages-description="<%= sanitize(t("shared.translations.languages_in_use", count: 1)) %>"
+     data-other-languages-description="<%= sanitize(t("shared.translations.languages_in_use", count: 2)) %>">
  <div class="small-6 large-3 column">
    <span class="small">
      <strong class="js-languages-description"><%= selected_languages_description(resource) %></strong>
--- a/app/views/shared/_errors.html.erb
+++ b/app/views/shared/_errors.html.erb
@@ -10,7 +10,7 @@
      <% if local_assigns[:message].present? %>
        <%= message %>
      <% else %>
-        <%= t("form.not_saved_html", resource: t("form.#{resource.class.to_s.underscore}")) %>
+        <%= sanitize(t("form.not_saved", resource: t("form.#{resource.class.to_s.underscore}"))) %>
      <% end %>
    </strong>
  </div>
--- a/app/views/users/registrations/success.html.erb
+++ b/app/views/users/registrations/success.html.erb
@@ -1,6 +1,6 @@
 <h2><%= t("devise_views.users.registrations.success.title") %></h2>
-<p><%= t("devise_views.users.registrations.success.thank_you_html") %></p>
-<p><%= t("devise_views.users.registrations.success.instructions_1_html") %></p>
+<p><%= sanitize(t("devise_views.users.registrations.success.thank_you")) %></p>
+<p><%= sanitize(t("devise_views.users.registrations.success.instructions_1")) %></p>
 <p><%= t("devise_views.users.registrations.success.instructions_2") %></p>
 <p>
  <%= link_to t("devise_views.users.registrations.success.back_to_index"),
--- a/app/views/valuation/budget_investments/_dossier_detail.html.erb
+++ b/app/views/valuation/budget_investments/_dossier_detail.html.erb
@@ -13,7 +13,9 @@
  <%= investment.unfeasibility_explanation.presence || "-" %>
 </p>
 <p>
-  <strong><%= t("valuation.budget_investments.edit.price_html", currency: budget.currency_symbol) %>:</strong>
+  <strong>
+    <%= sanitize(t("valuation.budget_investments.edit.price", currency: budget.currency_symbol)) %>:
+  </strong>
  <%= investment.price.presence || "-" %>
 </p>
 <p>
--- a/app/views/valuation/budget_investments/_dossier_form.html.erb
+++ b/app/views/valuation/budget_investments/_dossier_form.html.erb
@@ -41,7 +41,7 @@
    <div class="row">
      <div class="small-12 medium-6 column">
        <%= f.number_field :price,
-          label: t("valuation.budget_investments.edit.price_html", currency: budget.currency_symbol),
+          label: t("valuation.budget_investments.edit.price", currency: budget.currency_symbol),
          max: 1000000000000000 %>
      </div>

--- a/app/views/verification/letter/show.html.erb
+++ b/app/views/verification/letter/show.html.erb
@@ -7,7 +7,7 @@
    <h1><%= t("verification.letter.edit.title") %></h1>

    <div data-alert class="callout success">
-      <%= t("verification.letter.create.flash.success_html") %>
+      <%= sanitize(t("verification.letter.create.flash.success")) %>
    </div>

    <%= link_to t("verification.letter.edit.see_all"), proposals_path, class: "button warning" %>
--- a/app/views/verification/residence/new.html.erb
+++ b/app/views/verification/residence/new.html.erb
@@ -54,7 +54,7 @@

          <div class="dropdown-pane" id="info-document-number" data-dropdown
               data-hover="true" data-hover-pane="true">
-            <%= t("verification.residence.new.document_number_help_text_html") %>
+            <%= sanitize(t("verification.residence.new.document_number_help_text")) %>
          </div>

          <%= f.text_field :document_number, label: false %>
--- a/app/views/verification/sms/new.html.erb
+++ b/app/views/verification/sms/new.html.erb
@@ -27,7 +27,7 @@

      <div class="small-12 medium-6">
        <%= f.label :phone, t("verification.sms.new.phone"), class: "inline-block" %>
-        <span class="inline-block"><%= t("verification.sms.new.phone_format_html") %></span>
+        <span class="inline-block"><%= sanitize(t("verification.sms.new.phone_format")) %></span>
        <p class="help-text" id="phone-text-help"><%= t("verification.sms.new.phone_note") %></p>
        <%= f.text_field :phone, label: false,
                                 placeholder: t("verification.sms.new.phone_placeholder"),