From dddef7672e37e85e14af7aa2ffbd95214bd2689f Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Sun, 22 Dec 2019 11:28:18 +0100 Subject: [PATCH] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- app/views/site/_potlatch.html.erb | 2 +- app/views/site/edit.html.erb | 4 ++-- app/views/site/export.html.erb | 2 +- app/views/users/account.html.erb | 2 +- app/views/users/blocked.html.erb | 2 +- app/views/users/suspended.html.erb | 2 +- app/views/users/terms.html.erb | 6 +++--- config/locales/en.yml | 14 +++++++------- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/app/views/site/_potlatch.html.erb b/app/views/site/_potlatch.html.erb index 3ebcf7fab..fedecbae8 100644 --- a/app/views/site/_potlatch.html.erb +++ b/app/views/site/_potlatch.html.erb @@ -6,5 +6,5 @@ <% data[:lat] = @lat if @lat -%> <% data[:lon] = @lon if @lon -%> <% data[:zoom] = @zoom if @zoom -%> - <%= content_tag :div, raw(t("site.edit.flash_player_required")), :id => "potlatch", :data => data %> + <%= content_tag :div, t("site.edit.flash_player_required_html"), :id => "potlatch", :data => data %> diff --git a/app/views/site/edit.html.erb b/app/views/site/edit.html.erb index 1dba95e5d..d991adf39 100644 --- a/app/views/site/edit.html.erb +++ b/app/views/site/edit.html.erb @@ -5,8 +5,8 @@

<%= t "layouts.osm_read_only" %>

<% elsif !current_user.data_public? %>

<%= t ".not_public" %>

-

<%= raw t ".not_public_description", :user_page => (link_to t(".user_page_link"), :controller => "users", :action => "account", :display_name => current_user.display_name, :anchor => "public") %>

-

<%= raw t "site.edit.anon_edits", :link => link_to(t(".anon_edits_link_text"), t(".anon_edits_link")) %>

+

<%= t ".not_public_description_html", :user_page => (link_to t(".user_page_link"), :controller => "users", :action => "account", :display_name => current_user.display_name, :anchor => "public") %>

+

<%= t ".anon_edits_html", :link => link_to(t(".anon_edits_link_text"), t(".anon_edits_link")) %>

<% else %> <%= render :partial => preferred_editor %> <% end %> diff --git a/app/views/site/export.html.erb b/app/views/site/export.html.erb index 4af1a0ff3..f1eed33cf 100644 --- a/app/views/site/export.html.erb +++ b/app/views/site/export.html.erb @@ -21,7 +21,7 @@

<%= t ".licence" %>

-

<%= raw t ".export_details" %>

+

<%= t ".export_details_html" %>

diff --git a/app/views/users/account.html.erb b/app/views/users/account.html.erb index 7fd6929ca..4021e5c08 100644 --- a/app/views/users/account.html.erb +++ b/app/views/users/account.html.erb @@ -175,6 +175,6 @@ <% unless current_user.data_public? %>

<%= t ".public editing note.heading" %>

-<%= raw t ".public editing note.text" %> +<%= t ".public editing note.html" %> <%= button_to t(".make edits public button"), :action => :go_public %> <% end %> diff --git a/app/views/users/blocked.html.erb b/app/views/users/blocked.html.erb index 2b2ff06f6..5e6505cac 100644 --- a/app/views/users/blocked.html.erb +++ b/app/views/users/blocked.html.erb @@ -6,5 +6,5 @@

<%= t "users.new.no_auto_account_create" %>

-

<%= raw t "users.new.contact_webmaster", :webmaster => "mailto:#{Settings.support_email}" %>

+

<%= t "users.new.contact_webmaster_html", :webmaster => "mailto:#{Settings.support_email}" %>

diff --git a/app/views/users/suspended.html.erb b/app/views/users/suspended.html.erb index 3a2df498a..002c632dd 100644 --- a/app/views/users/suspended.html.erb +++ b/app/views/users/suspended.html.erb @@ -4,4 +4,4 @@

<%= t ".heading" %>

<% end %> -<%= raw t ".body", :webmaster => link_to(t(".webmaster"), "mailto:#{Settings.support_email}") %> +<%= t ".body_html", :webmaster => link_to(t(".webmaster"), "mailto:#{Settings.support_email}") %> diff --git a/app/views/users/terms.html.erb b/app/views/users/terms.html.erb index d4a9fa0bd..97c1c7bf7 100644 --- a/app/views/users/terms.html.erb +++ b/app/views/users/terms.html.erb @@ -35,9 +35,9 @@

- <%= raw t ".guidance", - :summary => "https://www.osmfoundation.org/wiki/License/Contributor_Terms_Summary", - :translations => "https://www.osmfoundation.org/wiki/License/Contributor_Terms/Informal_Translations" %> + <%= t ".guidance_html", + :summary => "https://www.osmfoundation.org/wiki/License/Contributor_Terms_Summary", + :translations => "https://www.osmfoundation.org/wiki/License/Contributor_Terms/Informal_Translations" %>

diff --git a/config/locales/en.yml b/config/locales/en.yml index fbd31e4b0..9e2e6dbb7 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1521,9 +1521,9 @@ en: remote_failed: "Editing failed - make sure JOSM or Merkaartor is loaded and the remote control option is enabled" edit: not_public: "You have not set your edits to be public." - not_public_description: "You can no longer edit the map unless you do so. You can set your edits as public from your %{user_page}." + not_public_description_html: "You can no longer edit the map unless you do so. You can set your edits as public from your %{user_page}." user_page_link: user page - anon_edits: "(%{link})" + anon_edits_html: "(%{link})" anon_edits_link: "https://wiki.openstreetmap.org/wiki/Disabling_anonymous_edits" anon_edits_link_text: "Find out why this is the case." flash_player_required_html: 'You need a Flash player to use Potlatch, the OpenStreetMap Flash editor. You can download Flash Player from Adobe.com. Several other options are also available for editing OpenStreetMap.' @@ -1541,7 +1541,7 @@ en: map_image: "Map Image (shows standard layer)" embeddable_html: "Embeddable HTML" licence: "Licence" - export_details: 'OpenStreetMap data is licensed under the Open Data Commons Open Database License (ODbL).' + export_details_html: 'OpenStreetMap data is licensed under the Open Data Commons Open Database License (ODbL).' too_large: advice: "If the above export fails, please consider using one of the sources listed below:" body: "This area is too large to be exported as OpenStreetMap XML Data. Please zoom in or select a smaller area, or use one of the sources listed below for bulk data downloads." @@ -2062,7 +2062,7 @@ en: new: title: "Sign Up" no_auto_account_create: "Unfortunately we are not currently able to create an account for you automatically." - contact_webmaster: 'Please contact the webmaster to arrange for an account to be created - we will try and deal with the request as quickly as possible.' + contact_webmaster_html: 'Please contact the webmaster to arrange for an account to be created - we will try and deal with the request as quickly as possible.' about: header: Free and editable html: | @@ -2096,7 +2096,7 @@ en: consider_pd: "In addition to the above, I consider my contributions to be in the Public Domain" consider_pd_why: "what's this?" consider_pd_why_url: https://www.osmfoundation.org/wiki/License/Why_would_I_want_my_contributions_to_be_public_domain - guidance: 'Information to help understand these terms: a human readable summary and some informal translations' + guidance_html: 'Information to help understand these terms: a human readable summary and some informal translations' continue: Continue declined: "https://wiki.openstreetmap.org/wiki/Contributor_Terms_Declined" decline: "Decline" @@ -2198,7 +2198,7 @@ en: disabled link text: "why can't I edit?" public editing note: heading: "Public editing" - text: "Currently your edits are anonymous and people cannot send you messages or see your location. To show what you edited and allow people to contact you through the website, click the button below. Since the 0.6 API changeover, only public users can edit map data. (find out why).
  • Your email address will not be revealed by becoming public.
  • This action cannot be reversed and all new users are now public by default.
" + html: "Currently your edits are anonymous and people cannot send you messages or see your location. To show what you edited and allow people to contact you through the website, click the button below. Since the 0.6 API changeover, only public users can edit map data. (find out why).
  • Your email address will not be revealed by becoming public.
  • This action cannot be reversed and all new users are now public by default.
" contributor terms: heading: "Contributor Terms:" agreed: "You have agreed to the new Contributor Terms." @@ -2284,7 +2284,7 @@ en: title: Account Suspended heading: Account Suspended webmaster: webmaster - body: | + body_html: |

Sorry, your account has been automatically suspended due to suspicious activity. -- 2.39.5