Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/helpers/globalize_helper.rb
+++ b/app/helpers/globalize_helper.rb
@@ -64,7 +64,7 @@ module GlobalizeHelper
  end

  def selected_languages_description(resource)
-    t("shared.translations.languages_in_use_html", count: active_languages_count(resource))
+    sanitize(t("shared.translations.languages_in_use", count: active_languages_count(resource)))
  end

  def select_language_error(resource)