Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe` on it, which means that translation could potentially be used for XSS attacks.
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
--- a/app/views/verification/sms/new.html.erb
+++ b/app/views/verification/sms/new.html.erb
@@ -27,7 +27,7 @@

      <div class="small-12 medium-6">
        <%= f.label :phone, t("verification.sms.new.phone"), class: "inline-block" %>
-        <span class="inline-block"><%= t("verification.sms.new.phone_format_html") %></span>
+        <span class="inline-block"><%= sanitize(t("verification.sms.new.phone_format")) %></span>
        <p class="help-text" id="phone-text-help"><%= t("verification.sms.new.phone_note") %></p>
        <%= f.text_field :phone, label: false,
                                 placeholder: t("verification.sms.new.phone_placeholder"),