Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/debates/index.html.erb
+++ b/app/views/debates/index.html.erb
@@ -18,7 +18,9 @@
            <p>
              <%= page_entries_info @debates %>
              <% if !@advanced_search_terms %>
-                <%= t("debates.index.search_results_html", count: @debates.size, search_term: @search_terms) %>
+                <%= sanitize(
+                  t("debates.index.search_results", count: @debates.size, search_term: @search_terms)
+                ) %>
              <% end %>
            </p>
          <% elsif @tag_filter %>