Use _html suffix to avoid using raw when displaying translated strings

This is safer than raw, since any user input is still escaped.
2020-01-02 17:43:34 +01:00 · 2020-01-02 17:43:34 +01:00 · 5aa255e13f
commit 5aa255e13f
parent 8dba8cd4a0
7 changed files with 21 additions and 20 deletions
--- a/app/views/browse/history.html.erb
+++ b/app/views/browse/history.html.erb
@ -2,7 +2,7 @@

 <h2>
  <a class="geolink" href="<%= root_path %>"><span class="icon close"></span></a>
-  <%= raw t("browse.#{@type}.history_title", :name => printable_name(@feature)) %>
+  <%= t("browse.#{@type}.history_title_html", :name => printable_name(@feature)) %>
 </h2>

 <%= render :partial => @type, :collection => @feature.send("old_#{@type}s").reverse %>
--- a/app/views/oauth/authorize.html.erb
+++ b/app/views/oauth/authorize.html.erb
@ -2,7 +2,7 @@
  <h1><%= t ".title" %></h1>
 <% end %>

-<p><%= raw t(".request_access", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %></p>
+<p><%= t(".request_access_html", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %></p>

 <%= form_tag authorize_url do %>
  <%= hidden_field_tag "oauth_token", @token.token %>
--- a/app/views/oauth/authorize_success.html.erb
+++ b/app/views/oauth/authorize_success.html.erb
@ -2,7 +2,7 @@
  <h1><%= t ".title" %></h1>
 <% end %>

-<p><%= raw t(".allowed", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %></p>
+<p><%= t(".allowed_html", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %></p>

 <% if @token.oob? and not @token.oauth10? %>
 <p><%= t ".verification", :code => @token.verifier %></p>
--- a/app/views/oauth_clients/index.html.erb
+++ b/app/views/oauth_clients/index.html.erb
@ -29,7 +29,7 @@
 <% end %>
 <h3><%= t ".my_apps" %></h3>
 <% if @client_applications.empty? %>
-<p><%= raw(t(".no_apps", :oauth => "<a href=\"https://oauth.net\">OAuth</a>")) %></p>
+<p><%= t(".no_apps_html", :oauth => link_to(t(".oauth"), "https://oauth.net" )) %></p>
 <% else %>
 <p><%= t ".registered_apps" %></p>
 <% @client_applications.each do |client| %>
--- a/app/views/users/_user.html.erb
+++ b/app/views/users/_user.html.erb
@ -7,14 +7,14 @@
  <td>
    <p>
      <% if user.creation_ip %>
-        <%= raw t "users.index.summary",
-                  :name => link_to(h(user.display_name), user_path(user)),
-                  :ip_address => link_to(user.creation_ip, :ip => user.creation_ip),
-                  :date => l(user.creation_time, :format => :friendly) %>
+        <%= t "users.index.summary_html",
+              :name => link_to(h(user.display_name), user_path(user)),
+              :ip_address => link_to(user.creation_ip, :ip => user.creation_ip),
+              :date => l(user.creation_time, :format => :friendly) %>
      <% else %>
-        <%= raw t "users.index.summary_no_ip",
-                  :name => link_to(h(user.display_name), user_path(user)),
-                  :date => l(user.creation_time, :format => :friendly) %>
+        <%= t "users.index.summary_no_ip_html",
+              :name => link_to(h(user.display_name), user_path(user)),
+              :date => l(user.creation_time, :format => :friendly) %>
      <% end %>
    </p>
    <div class="richtext"><%= user.description.to_html %></div>
--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@ -70,7 +70,7 @@
  </fieldset>

  <div id="auth_prompt" class="form-row">
-    <%= link_to raw(t(".use external auth")), "#", :id => "auth_enable" %>
+    <%= link_to t(".use external auth"), "#", :id => "auth_enable" %>
  </div>

  <%= submit_tag t(".continue"), :tabindex => 8 %>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -222,17 +222,17 @@ en:
      still_open: "Changeset still open - discussion will open once the changeset is closed."
    node:
      title_html: "Node: %{name}"
-      history_title: "Node History: %{name}"
+      history_title_html: "Node History: %{name}"
    way:
      title_html: "Way: %{name}"
-      history_title: "Way History: %{name}"
+      history_title_html: "Way History: %{name}"
      nodes: "Nodes"
      also_part_of_html:
        one: "part of way %{related_ways}"
        other: "part of ways %{related_ways}"
    relation:
      title_html: "Relation: %{name}"
-      history_title: "Relation History: %{name}"
+      history_title_html: "Relation History: %{name}"
      members: "Members"
    relation_member:
      entry_html: "%{type} %{name}"
@ -1911,7 +1911,7 @@ en:
  oauth:
    authorize:
      title: "Authorize access to your account"
-      request_access: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like."
+      request_access_html: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like."
      allow_to: "Allow the client application to:"
      allow_read_prefs:  "read your user preferences."
      allow_write_prefs: "modify your user preferences."
@ -1923,7 +1923,7 @@ en:
      grant_access: "Grant Access"
    authorize_success:
      title: "Authorization request allowed"
-      allowed: "You have granted application %{app_name} access to your account."
+      allowed_html: "You have granted application %{app_name} access to your account."
      verification: "The verification code is %{code}."
    authorize_failure:
      title: "Authorization request failed"
@ -1965,7 +1965,8 @@ en:
      issued_at: "Issued At"
      revoke: "Revoke!"
      my_apps: "My Client Applications"
-      no_apps: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service."
+      no_apps_html: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service."
+      oauth: OAuth
      registered_apps: "You have the following client applications registered:"
      register_new: "Register your application"
    form:
@ -2275,8 +2276,8 @@ en:
      showing:
        one: Page %{page} (%{first_item} of %{items})
        other: Page %{page} (%{first_item}-%{last_item} of %{items})
-      summary: "%{name} created from %{ip_address} on %{date}"
-      summary_no_ip: "%{name} created on %{date}"
+      summary_html: "%{name} created from %{ip_address} on %{date}"
+      summary_no_ip_html: "%{name} created on %{date}"
      confirm: Confirm Selected Users
      hide: Hide Selected Users
      empty: No matching users found