Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/management/proposals/index.html.erb
+++ b/app/views/management/proposals/index.html.erb
@@ -10,7 +10,9 @@
        <% if @search_terms %>
          <h3>
            <%= page_entries_info @proposals %>
-            <%= t("proposals.index.search_results_html", count: @proposals.size, search_term: @search_terms) %>
+            <%= sanitize(
+              t("proposals.index.search_results", count: @proposals.size, search_term: @search_terms)
+            ) %>
          </h3>
        <% end %>

--- a/app/views/management/user_invites/create.html.erb
+++ b/app/views/management/user_invites/create.html.erb
@@ -4,6 +4,6 @@
  <h2><%= t("management.user_invites.create.title") %></h2>

  <div class="callout success">
-    <%= t("management.user_invites.create.success_html", count: @emails.count) %>
+    <%= sanitize(t("management.user_invites.create.success", count: @emails.count)) %>
  </div>
 </div>
--- a/app/views/management/users/show.html.erb
+++ b/app/views/management/users/show.html.erb
@@ -1,7 +1,7 @@
 <% if @user.email.blank? %>
-  <p><%= t("management.users.autogenerated_password_html", password: @user.password) %></p>
+  <p><%= sanitize(t("management.users.autogenerated_password", password: @user.password)) %></p>
 <% else %>
-  <p><%= t("management.users.create_user_success_html", email: @user.email) %></p>
+  <p><%= sanitize(t("management.users.create_user_success", email: @user.email)) %></p>
 <% end %>

 <%= render "management/user_permissions",