Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/management/users/show.html.erb
+++ b/app/views/management/users/show.html.erb
@@ -1,7 +1,7 @@
 <% if @user.email.blank? %>
-  <p><%= t("management.users.autogenerated_password_html", password: @user.password) %></p>
+  <p><%= sanitize(t("management.users.autogenerated_password", password: @user.password)) %></p>
 <% else %>
-  <p><%= t("management.users.create_user_success_html", email: @user.email) %></p>
+  <p><%= sanitize(t("management.users.create_user_success", email: @user.email)) %></p>
 <% end %>

 <%= render "management/user_permissions",