Use _html suffix to avoid using raw when displaying translated strings

This is safer than raw, since any user input is still escaped.

app/views/site/about.html.erb

@@ -5,7 +5,7 @@
 
   <div class='user-image'></div>
 
-  <h1><%= raw t ".used_by", :name => "<span class='user-name'>OpenStreetMap</span>" %></h1>
+  <h1><%= t ".used_by_html", :name => content_tag(:span, "OpenStreetMap", :class => "user-name") %></h1>
 </div>
 
 <div class='text'>

app/views/user_blocks/blocks_by.html.erb

@@ -1,6 +1,6 @@
 <% @title = t(".title", :name => h(@user.display_name)) %>
 <% content_for :heading do %>
-  <h1><%= raw(t(".heading", :name => link_to(h(@user.display_name), user_path(@user)))) %></h1>
+  <h1><%= t(".heading_html", :name => link_to(@user.display_name, user_path(@user))) %></h1>
 <% end %>
 
 <% unless @user_blocks.empty? %>

app/views/user_blocks/blocks_on.html.erb

@@ -1,6 +1,6 @@
 <% @title = t(".title", :name => h(@user.display_name)) %>
 <% content_for :heading do %>
-  <h1><%= raw(t(".heading", :name => link_to(h(@user.display_name), user_path(@user)))) %></h1>
+  <h1><%= t(".heading_html", :name => link_to(@user.display_name, user_path(@user))) %></h1>
 <% end %>
 <% unless @user_blocks.empty? %>
 <%= render :partial => "blocks", :locals => { :show_revoke_link => can?(:revoke, UserBlock), :show_user_name => false, :show_creator_name => true } %>

app/views/user_blocks/edit.html.erb

@@ -1,8 +1,8 @@
 <% @title = t ".title", :name => h(@user_block.user.display_name) %>
 <% content_for :heading do %>
-  <h1><%= raw t(".title",
-                :name => link_to(h(@user_block.user.display_name),
-                                 user_path(@user_block.user))) %></h1>
+  <h1><%= t(".heading_html",
+            :name => link_to(@user_block.user.display_name,
+                             user_path(@user_block.user))) %></h1>
   <ul class='secondary-actions clearfix'>
     <li><%= link_to t(".show"), @user_block %></li>
     <li><%= link_to t(".back"), user_blocks_path %></li>

app/views/user_blocks/new.html.erb

@@ -1,8 +1,8 @@
 <% @title = t ".title", :name => h(@user.display_name) %>
 <% content_for :heading do %>
-  <h1><%= raw t(".heading",
-                :name => link_to(h(@user.display_name),
-                                 user_path(@user))) %></h1>
+  <h1><%= t(".heading_html",
+            :name => link_to(@user.display_name,
+                             user_path(@user))) %></h1>
 <% end %>
 <%= form_for(@user_block) do |f| %>
   <%= f.error_messages %>

app/views/user_blocks/revoke.html.erb

@@ -3,11 +3,11 @@
               :block_by => h(@user_block.creator.display_name)) %>
 
 <% content_for :heading do %>
-  <h1><%= raw t(".heading",
-                :block_on => link_to(h(@user_block.user.display_name),
-                                     user_path(@user_block.user)),
-                :block_by => link_to(h(@user_block.creator.display_name),
-                                     user_path(@user_block.creator))) %></h1>
+  <h1><%= t(".heading_html",
+            :block_on => link_to(@user_block.user.display_name,
+                                 user_path(@user_block.user)),
+            :block_by => link_to(@user_block.creator.display_name,
+                                 user_path(@user_block.creator))) %></h1>
 <% end %>
 
 <% if @user_block.ends_at > Time.now %>

app/views/user_blocks/show.html.erb

@@ -3,11 +3,11 @@
               :block_by => @user_block.creator.display_name) %>
 
 <% content_for :heading do %>
-  <h1><%= raw t(".heading",
-                :block_on => link_to(h(@user_block.user.display_name),
-                                     user_path(@user_block.user)),
-                :block_by => link_to(h(@user_block.creator.display_name),
-                                     user_path(@user_block.creator))) %></h1>
+  <h1><%= t(".heading_html",
+            :block_on => link_to(@user_block.user.display_name,
+                                 user_path(@user_block.user)),
+            :block_by => link_to(@user_block.creator.display_name,
+                                 user_path(@user_block.creator))) %></h1>
 <ul class='secondary-actions clearfix'>
   <% if @user_block.ends_at > Time.now.getutc %>
     <% if current_user and current_user.id == @user_block.creator_id %>

app/views/users/login.html.erb

@@ -74,7 +74,7 @@
         </ul>
 
         <div id='login_openid_url' class='form-row'>
-          <label for='openid_url' class="standard-label"><%= raw t ".openid", :logo => openid_logo %></label>
+          <label for='openid_url' class="standard-label"><%= t ".openid_html", :logo => openid_logo %></label>
           <%= hidden_field_tag("openid_referer", params[:referer]) if params[:referer] %>
           <%= text_field_tag("openid_url", "", :tabindex => 3, :class => "openid_url") %>
           <span class="minorNote">(<a href="<%= t "users.account.openid.link" %>" target="_new"><%= t "users.account.openid.link text" %></a>)</span>

app/views/users/new.html.erb

@@ -26,7 +26,7 @@
       <%= f.email_field(:email_confirmation, :tabindex => 2) %>
       <%= f.error_message_on(:email_confirmation) %>
     </div>
-    <span class="form-help deemphasize"><%= raw(t(".not displayed publicly")) %></span>
+    <span class="form-help deemphasize"><%= t(".not_displayed_publicly_html") %></span>
   </fieldset>
 
   <fieldset>
@@ -43,7 +43,7 @@
   <fieldset class="form-divider" id="auth_field">
     <div class="form-row">
       <label for="openid_url" class="standard-label">
-        <%= raw t ".external auth" %>
+        <%= t ".external auth" %>
       </label>
       <%= f.select(:auth_provider, Auth::PROVIDERS, :default => "", :tabindex => 4) %>
       <%= f.text_field(:auth_uid, :tabindex => 5) %>