Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/shared/_errors.html.erb
+++ b/app/views/shared/_errors.html.erb
@@ -10,7 +10,7 @@
      <% if local_assigns[:message].present? %>
        <%= message %>
      <% else %>
-        <%= t("form.not_saved_html", resource: t("form.#{resource.class.to_s.underscore}")) %>
+        <%= sanitize(t("form.not_saved", resource: t("form.#{resource.class.to_s.underscore}"))) %>
      <% end %>
    </strong>
  </div>