Use sanitize in translations with links

Sometimes we're interpolating a link inside a translation, and marking the whole translations as HTML safe. However, some translations added by admins to the database or through crowdin are not entirely under our control. Although AFAIK crowdin checks for potential cross-site scripting attacks, it's a good practice to sanitize parts of a string potentially out of our control before marking the string as HTML safe.
2019-10-01 21:57:06 +02:00
parent 56f690b8a9
commit 928312e218
41 changed files with 95 additions and 89 deletions
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -30,12 +30,12 @@
          </button>
          <h2><%= t("layouts.application.ie_title") %></h2>
          <p>
-            <%= t("layouts.application.ie",
+            <%= sanitize(t("layouts.application.ie",
            chrome: link_to(
                    t("layouts.application.chrome"), "https://www.google.com/chrome/browser/desktop/", title: t("shared.target_blank"), target: "_blank"),
            firefox: link_to(
                     t("layouts.application.firefox"), "https://www.mozilla.org/firefox", title: t("shared.target_blank"), target: "_blank")
-            ).html_safe %>
+            )) %>
          </p>
        </div>
      <![endif]-->