Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/valuation/budget_investments/_dossier_detail.html.erb
+++ b/app/views/valuation/budget_investments/_dossier_detail.html.erb
@@ -13,7 +13,9 @@
  <%= investment.unfeasibility_explanation.presence || "-" %>
 </p>
 <p>
-  <strong><%= t("valuation.budget_investments.edit.price_html", currency: budget.currency_symbol) %>:</strong>
+  <strong>
+    <%= sanitize(t("valuation.budget_investments.edit.price", currency: budget.currency_symbol)) %>:
+  </strong>
  <%= investment.price.presence || "-" %>
 </p>
 <p>
--- a/app/views/valuation/budget_investments/_dossier_form.html.erb
+++ b/app/views/valuation/budget_investments/_dossier_form.html.erb
@@ -41,7 +41,7 @@
    <div class="row">
      <div class="small-12 medium-6 column">
        <%= f.number_field :price,
-          label: t("valuation.budget_investments.edit.price_html", currency: budget.currency_symbol),
+          label: t("valuation.budget_investments.edit.price", currency: budget.currency_symbol),
          max: 1000000000000000 %>
      </div>