consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize translations instead of using _html

Browse Source 
Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.
This commit is contained in:
Javi Martín
2019-10-06 00:03:50 +02:00
parent b66859945e
commit 6b1864fbcd
62 changed files with 185 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
spec/shared/features/followable.rb
View File

@@ -56,7 +56,7 @@ shared_examples "followable" do |followable_class_name, followable_path, followa
scenario "Should display new follower notice after user clicks on follow button", :js do
user = create(:user)
login_as(user)
create_notice_message = t("shared.followable.#{followable_class_name}.create.notice_html")
create_notice_message = t("shared.followable.#{followable_class_name}.create.notice")
visit send(followable_path, arguments)
within "##{dom_id(followable)}" do
@@ -91,7 +91,7 @@ shared_examples "followable" do |followable_class_name, followable_path, followa
scenario "Should display destroy follower notice after user clicks on unfollow button", :js do
user = create(:user, followables: [followable])
login_as(user)
destroy_notice_message = t("shared.followable.#{followable_class_name}.destroy.notice_html")
destroy_notice_message = t("shared.followable.#{followable_class_name}.destroy.notice")
visit send(followable_path, arguments)
within "##{dom_id(followable)}" do