Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/devise/confirmations/show.html.erb
+++ b/app/views/devise/confirmations/show.html.erb
@@ -1,7 +1,7 @@
 <% provide :title do %><%= t("devise_views.confirmations.show.title") %><% end %>
 <h1 class="text-center"><%= t("devise_views.confirmations.show.title") %></h1>

-<p><%= t("devise_views.confirmations.show.instructions_html", email: resource.email) %></p>
+<p><%= sanitize(t("devise_views.confirmations.show.instructions", email: resource.email)) %></p>

 <%= form_for(resource,
             as: resource_name,