Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/verification/letter/show.html.erb
+++ b/app/views/verification/letter/show.html.erb
@@ -7,7 +7,7 @@
    <h1><%= t("verification.letter.edit.title") %></h1>

    <div data-alert class="callout success">
-      <%= t("verification.letter.create.flash.success_html") %>
+      <%= sanitize(t("verification.letter.create.flash.success")) %>
    </div>

    <%= link_to t("verification.letter.edit.see_all"), proposals_path, class: "button warning" %>
--- a/app/views/verification/residence/new.html.erb
+++ b/app/views/verification/residence/new.html.erb
@@ -54,7 +54,7 @@

          <div class="dropdown-pane" id="info-document-number" data-dropdown
               data-hover="true" data-hover-pane="true">
-            <%= t("verification.residence.new.document_number_help_text_html") %>
+            <%= sanitize(t("verification.residence.new.document_number_help_text")) %>
          </div>

          <%= f.text_field :document_number, label: false %>
--- a/app/views/verification/sms/new.html.erb
+++ b/app/views/verification/sms/new.html.erb
@@ -27,7 +27,7 @@

      <div class="small-12 medium-6">
        <%= f.label :phone, t("verification.sms.new.phone"), class: "inline-block" %>
-        <span class="inline-block"><%= t("verification.sms.new.phone_format_html") %></span>
+        <span class="inline-block"><%= sanitize(t("verification.sms.new.phone_format")) %></span>
        <p class="help-text" id="phone-text-help"><%= t("verification.sms.new.phone_note") %></p>
        <%= f.text_field :phone, label: false,
                                 placeholder: t("verification.sms.new.phone_placeholder"),