Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/admin/budget_investments/_filters_description.html.erb
+++ b/app/views/admin/budget_investments/_filters_description.html.erb
@@ -1,16 +1,16 @@
 <% if params[:filter].present? && params[:advanced_filters].present? %>
-  <p class="inline-block"><%= t("#{i18n_namespace}.filters.two_filters_html",
+  <p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.two_filters",
                              filter: t("#{i18n_namespace}.filters.#{params[:filter]}"),
-                              advanced_filters: budget_investments_advanced_filters(params[:advanced_filters])) %></p>
+                              advanced_filters: budget_investments_advanced_filters(params[:advanced_filters]))) %></p>

 <% elsif params[:filter].present? %>

-  <p class="inline-block"><%= t("#{i18n_namespace}.filters.one_filter_html",
-                              filter: t("#{i18n_namespace}.filters.#{params[:filter]}")) %></p>
+  <p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.one_filter",
+                              filter: t("#{i18n_namespace}.filters.#{params[:filter]}"))) %></p>

 <% elsif params[:advanced_filters].present? %>

-  <p class="inline-block"><%= t("#{i18n_namespace}.filters.one_filter_html",
-                              filter: budget_investments_advanced_filters(params[:advanced_filters])) %></p>
+  <p class="inline-block"><%= sanitize(t("#{i18n_namespace}.filters.one_filter",
+                              filter: budget_investments_advanced_filters(params[:advanced_filters]))) %></p>

 <% end %>
--- a/app/views/admin/legislation/draft_versions/_form.html.erb
+++ b/app/views/admin/legislation/draft_versions/_form.html.erb
@@ -36,9 +36,9 @@
      <div class="markdown-editor clear">
        <div class="small-12 medium-8 column fullscreen-container">
          <div class="markdown-editor-header truncate">
-            <%= t("admin.legislation.draft_versions.form.title_html",
+            <%= sanitize(t("admin.legislation.draft_versions.form.title",
                   draft_version_title: @draft_version.title,
-                   process_title: @process.title) %>
+                   process_title: @process.title)) %>
          </div>

          <div class="markdown-editor-buttons">
--- a/app/views/admin/newsletters/new.html.erb
+++ b/app/views/admin/newsletters/new.html.erb
@@ -1,9 +1,9 @@
 <%= back_link_to %>
 <h2><%= t("admin.newsletters.new.title") %></h2>
 <p>
-  <%= t("admin.newsletters.new.header_footer_help_text_html",
+  <%= sanitize(t("admin.newsletters.new.header_footer_help_text",
         link: link_to(t("admin.newsletters.new.image_link"),
-                       admin_site_customization_images_path)) %>
+                       admin_site_customization_images_path))) %>
 </p>

 <%= render "form" %>
--- a/app/views/admin/organizations/index.html.erb
+++ b/app/views/admin/organizations/index.html.erb
@@ -67,7 +67,7 @@

  <% if hidden > 0 %>
    <div class="callout warning">
-      <%= t("admin.organizations.index.hidden_count_html", count: hidden) %>
+      <%= sanitize(t("admin.organizations.index.hidden_count", count: hidden)) %>
    </div>
  <% end %>

--- a/app/views/admin/site_customization/pages/_form.html.erb
+++ b/app/views/admin/site_customization/pages/_form.html.erb
@@ -32,7 +32,7 @@

    <div class="small-12 medium-6 column">
      <%= f.text_field :slug, size: 80, maxlength: 80,
-        hint: t("admin.site_customization.pages.new.slug_help_html") %>
+        hint: sanitize(t("admin.site_customization.pages.new.slug_help")) %>
    </div>
  </div>