cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use _html suffix to avoid using raw when displaying translated strings

Browse source 
This is safer than raw, since any user input is still escaped.
This commit is contained in:
Andy Allan 2020-01-02 17:43:34 +01:00
parent 8dba8cd4a0
commit 5aa255e13f
7 changed files with 21 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/views/browse/history.html.erb
View file

@ -2,7 +2,7 @@
<h2> <h2>
<a class="geolink" href="<%= root_path %>"><span class="icon close"></span></a> <a class="geolink" href="<%= root_path %>"><span class="icon close"></span></a>
<%= raw t("browse.#{@type}.history_title", :name => printable_name(@feature)) %> <%= t("browse.#{@type}.history_title_html", :name => printable_name(@feature)) %>
</h2> </h2>
<%= render :partial => @type, :collection => @feature.send("old_#{@type}s").reverse %> <%= render :partial => @type, :collection => @feature.send("old_#{@type}s").reverse %>

2
app/views/oauth/authorize.html.erb
View file

@ -2,7 +2,7 @@
<h1><%= t ".title" %></h1> <h1><%= t ".title" %></h1>
<% end %> <% end %>
<p><%= raw t(".request_access", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %></p> <p><%= t(".request_access_html", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %></p>
<%= form_tag authorize_url do %> <%= form_tag authorize_url do %>
<%= hidden_field_tag "oauth_token", @token.token %> <%= hidden_field_tag "oauth_token", @token.token %>

2
app/views/oauth/authorize_success.html.erb
View file

@ -2,7 +2,7 @@
<h1><%= t ".title" %></h1> <h1><%= t ".title" %></h1>
<% end %> <% end %>
<p><%= raw t(".allowed", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %></p> <p><%= t(".allowed_html", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %></p>
<% if @token.oob? and not @token.oauth10? %> <% if @token.oob? and not @token.oauth10? %>
<p><%= t ".verification", :code => @token.verifier %></p> <p><%= t ".verification", :code => @token.verifier %></p>

2
app/views/oauth_clients/index.html.erb
View file

@ -29,7 +29,7 @@
<% end %> <% end %>
<h3><%= t ".my_apps" %></h3> <h3><%= t ".my_apps" %></h3>
<% if @client_applications.empty? %> <% if @client_applications.empty? %>
<p><%= raw(t(".no_apps", :oauth => "<a href=\"https://oauth.net\">OAuth</a>")) %></p> <p><%= t(".no_apps_html", :oauth => link_to(t(".oauth"), "https://oauth.net" )) %></p>
<% else %> <% else %>
<p><%= t ".registered_apps" %></p> <p><%= t ".registered_apps" %></p>
<% @client_applications.each do |client| %> <% @client_applications.each do |client| %>

14
app/views/users/_user.html.erb
View file

@ -7,14 +7,14 @@
<td> <td>
<p> <p>
<% if user.creation_ip %> <% if user.creation_ip %>
<%= raw t "users.index.summary", <%= t "users.index.summary_html",
:name => link_to(h(user.display_name), user_path(user)), :name => link_to(h(user.display_name), user_path(user)),
:ip_address => link_to(user.creation_ip, :ip => user.creation_ip), :ip_address => link_to(user.creation_ip, :ip => user.creation_ip),
:date => l(user.creation_time, :format => :friendly) %> :date => l(user.creation_time, :format => :friendly) %>
<% else %> <% else %>
<%= raw t "users.index.summary_no_ip", <%= t "users.index.summary_no_ip_html",
:name => link_to(h(user.display_name), user_path(user)), :name => link_to(h(user.display_name), user_path(user)),
:date => l(user.creation_time, :format => :friendly) %> :date => l(user.creation_time, :format => :friendly) %>
<% end %> <% end %>
</p> </p>
<div class="richtext"><%= user.description.to_html %></div> <div class="richtext"><%= user.description.to_html %></div>

2
app/views/users/new.html.erb
View file

@ -70,7 +70,7 @@
</fieldset> </fieldset>
<div id="auth_prompt" class="form-row"> <div id="auth_prompt" class="form-row">
<%= link_to raw(t(".use external auth")), "#", :id => "auth_enable" %> <%= link_to t(".use external auth"), "#", :id => "auth_enable" %>
</div> </div>
<%= submit_tag t(".continue"), :tabindex => 8 %> <%= submit_tag t(".continue"), :tabindex => 8 %>

17
config/locales/en.yml
View file

@ -222,17 +222,17 @@ en:
still_open: "Changeset still open - discussion will open once the changeset is closed." still_open: "Changeset still open - discussion will open once the changeset is closed."
node: node:
title_html: "Node: %{name}" title_html: "Node: %{name}"
history_title: "Node History: %{name}" history_title_html: "Node History: %{name}"
way: way:
title_html: "Way: %{name}" title_html: "Way: %{name}"
history_title: "Way History: %{name}" history_title_html: "Way History: %{name}"
nodes: "Nodes" nodes: "Nodes"
also_part_of_html: also_part_of_html:
one: "part of way %{related_ways}" one: "part of way %{related_ways}"
other: "part of ways %{related_ways}" other: "part of ways %{related_ways}"
relation: relation:
title_html: "Relation: %{name}" title_html: "Relation: %{name}"
history_title: "Relation History: %{name}" history_title_html: "Relation History: %{name}"
members: "Members" members: "Members"
relation_member: relation_member:
entry_html: "%{type} %{name}" entry_html: "%{type} %{name}"
@ -1911,7 +1911,7 @@ en:
oauth: oauth:
authorize: authorize:
title: "Authorize access to your account" title: "Authorize access to your account"
request_access: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like." request_access_html: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like."
allow_to: "Allow the client application to:" allow_to: "Allow the client application to:"
allow_read_prefs: "read your user preferences." allow_read_prefs: "read your user preferences."
allow_write_prefs: "modify your user preferences." allow_write_prefs: "modify your user preferences."
@ -1923,7 +1923,7 @@ en:
grant_access: "Grant Access" grant_access: "Grant Access"
authorize_success: authorize_success:
title: "Authorization request allowed" title: "Authorization request allowed"
allowed: "You have granted application %{app_name} access to your account." allowed_html: "You have granted application %{app_name} access to your account."
verification: "The verification code is %{code}." verification: "The verification code is %{code}."
authorize_failure: authorize_failure:
title: "Authorization request failed" title: "Authorization request failed"
@ -1965,7 +1965,8 @@ en:
issued_at: "Issued At" issued_at: "Issued At"
revoke: "Revoke!" revoke: "Revoke!"
my_apps: "My Client Applications" my_apps: "My Client Applications"
no_apps: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service." no_apps_html: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service."
oauth: OAuth
registered_apps: "You have the following client applications registered:" registered_apps: "You have the following client applications registered:"
register_new: "Register your application" register_new: "Register your application"
form: form:
@ -2275,8 +2276,8 @@ en:
showing: showing:
one: Page %{page} (%{first_item} of %{items}) one: Page %{page} (%{first_item} of %{items})
other: Page %{page} (%{first_item}-%{last_item} of %{items}) other: Page %{page} (%{first_item}-%{last_item} of %{items})
summary: "%{name} created from %{ip_address} on %{date}" summary_html: "%{name} created from %{ip_address} on %{date}"
summary_no_ip: "%{name} created on %{date}" summary_no_ip_html: "%{name} created on %{date}"
confirm: Confirm Selected Users confirm: Confirm Selected Users
hide: Hide Selected Users hide: Hide Selected Users
empty: No matching users found empty: No matching users found