From 5aa255e13fd5a9adfd7258cd7048466fc63f2347 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Thu, 2 Jan 2020 17:43:34 +0100 Subject: [PATCH] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- app/views/browse/history.html.erb | 2 +- app/views/oauth/authorize.html.erb | 2 +- app/views/oauth/authorize_success.html.erb | 2 +- app/views/oauth_clients/index.html.erb | 2 +- app/views/users/_user.html.erb | 14 +++++++------- app/views/users/new.html.erb | 2 +- config/locales/en.yml | 17 +++++++++-------- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/app/views/browse/history.html.erb b/app/views/browse/history.html.erb index 0a2c1811c..95b3fd317 100644 --- a/app/views/browse/history.html.erb +++ b/app/views/browse/history.html.erb @@ -2,7 +2,7 @@

- <%= raw t("browse.#{@type}.history_title", :name => printable_name(@feature)) %> + <%= t("browse.#{@type}.history_title_html", :name => printable_name(@feature)) %>

<%= render :partial => @type, :collection => @feature.send("old_#{@type}s").reverse %> diff --git a/app/views/oauth/authorize.html.erb b/app/views/oauth/authorize.html.erb index c480b4c99..5fd3c2fee 100644 --- a/app/views/oauth/authorize.html.erb +++ b/app/views/oauth/authorize.html.erb @@ -2,7 +2,7 @@

<%= t ".title" %>

<% end %> -

<%= raw t(".request_access", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %>

+

<%= t(".request_access_html", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %>

<%= form_tag authorize_url do %> <%= hidden_field_tag "oauth_token", @token.token %> diff --git a/app/views/oauth/authorize_success.html.erb b/app/views/oauth/authorize_success.html.erb index 9c817372f..63239a386 100644 --- a/app/views/oauth/authorize_success.html.erb +++ b/app/views/oauth/authorize_success.html.erb @@ -2,7 +2,7 @@

<%= t ".title" %>

<% end %> -

<%= raw t(".allowed", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %>

+

<%= t(".allowed_html", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %>

<% if @token.oob? and not @token.oauth10? %>

<%= t ".verification", :code => @token.verifier %>

diff --git a/app/views/oauth_clients/index.html.erb b/app/views/oauth_clients/index.html.erb index 54bb4f9f6..738e01a74 100644 --- a/app/views/oauth_clients/index.html.erb +++ b/app/views/oauth_clients/index.html.erb @@ -29,7 +29,7 @@ <% end %>

<%= t ".my_apps" %>

<% if @client_applications.empty? %> -

<%= raw(t(".no_apps", :oauth => "OAuth")) %>

+

<%= t(".no_apps_html", :oauth => link_to(t(".oauth"), "https://oauth.net" )) %>

<% else %>

<%= t ".registered_apps" %>

<% @client_applications.each do |client| %> diff --git a/app/views/users/_user.html.erb b/app/views/users/_user.html.erb index beff4b0ae..c8fd4ac9e 100644 --- a/app/views/users/_user.html.erb +++ b/app/views/users/_user.html.erb @@ -7,14 +7,14 @@

<% if user.creation_ip %> - <%= raw t "users.index.summary", - :name => link_to(h(user.display_name), user_path(user)), - :ip_address => link_to(user.creation_ip, :ip => user.creation_ip), - :date => l(user.creation_time, :format => :friendly) %> + <%= t "users.index.summary_html", + :name => link_to(h(user.display_name), user_path(user)), + :ip_address => link_to(user.creation_ip, :ip => user.creation_ip), + :date => l(user.creation_time, :format => :friendly) %> <% else %> - <%= raw t "users.index.summary_no_ip", - :name => link_to(h(user.display_name), user_path(user)), - :date => l(user.creation_time, :format => :friendly) %> + <%= t "users.index.summary_no_ip_html", + :name => link_to(h(user.display_name), user_path(user)), + :date => l(user.creation_time, :format => :friendly) %> <% end %>

<%= user.description.to_html %>
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index fc62f0708..f4ff16408 100644 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -70,7 +70,7 @@
- <%= link_to raw(t(".use external auth")), "#", :id => "auth_enable" %> + <%= link_to t(".use external auth"), "#", :id => "auth_enable" %>
<%= submit_tag t(".continue"), :tabindex => 8 %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 31531a656..e1662571f 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -222,17 +222,17 @@ en: still_open: "Changeset still open - discussion will open once the changeset is closed." node: title_html: "Node: %{name}" - history_title: "Node History: %{name}" + history_title_html: "Node History: %{name}" way: title_html: "Way: %{name}" - history_title: "Way History: %{name}" + history_title_html: "Way History: %{name}" nodes: "Nodes" also_part_of_html: one: "part of way %{related_ways}" other: "part of ways %{related_ways}" relation: title_html: "Relation: %{name}" - history_title: "Relation History: %{name}" + history_title_html: "Relation History: %{name}" members: "Members" relation_member: entry_html: "%{type} %{name}" @@ -1911,7 +1911,7 @@ en: oauth: authorize: title: "Authorize access to your account" - request_access: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like." + request_access_html: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like." allow_to: "Allow the client application to:" allow_read_prefs: "read your user preferences." allow_write_prefs: "modify your user preferences." @@ -1923,7 +1923,7 @@ en: grant_access: "Grant Access" authorize_success: title: "Authorization request allowed" - allowed: "You have granted application %{app_name} access to your account." + allowed_html: "You have granted application %{app_name} access to your account." verification: "The verification code is %{code}." authorize_failure: title: "Authorization request failed" @@ -1965,7 +1965,8 @@ en: issued_at: "Issued At" revoke: "Revoke!" my_apps: "My Client Applications" - no_apps: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service." + no_apps_html: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service." + oauth: OAuth registered_apps: "You have the following client applications registered:" register_new: "Register your application" form: @@ -2275,8 +2276,8 @@ en: showing: one: Page %{page} (%{first_item} of %{items}) other: Page %{page} (%{first_item}-%{last_item} of %{items}) - summary: "%{name} created from %{ip_address} on %{date}" - summary_no_ip: "%{name} created on %{date}" + summary_html: "%{name} created from %{ip_address} on %{date}" + summary_no_ip_html: "%{name} created on %{date}" confirm: Confirm Selected Users hide: Hide Selected Users empty: No matching users found -- 2.39.5