From dfedf85b6ca076c4c95f10ea3d9649d1a4de6818 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Fri, 20 Dec 2019 10:29:07 +0100 Subject: [PATCH 1/6] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- .../diary_entries/_diary_comment.html.erb | 2 +- app/views/diary_entries/_diary_entry.html.erb | 2 +- app/views/diary_entries/show.html.erb | 2 +- app/views/messages/inbox.html.erb | 2 +- app/views/messages/new.html.erb | 2 +- app/views/messages/outbox.html.erb | 4 ++-- app/views/site/_potlatch2.html.erb | 2 +- app/views/users/show.html.erb | 2 +- config/locales/en.yml | 18 +++++++++--------- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/app/views/diary_entries/_diary_comment.html.erb b/app/views/diary_entries/_diary_comment.html.erb index 639ac9a19..3893072ad 100644 --- a/app/views/diary_entries/_diary_comment.html.erb +++ b/app/views/diary_entries/_diary_comment.html.erb @@ -1,6 +1,6 @@
"> <%= user_thumbnail diary_comment.user %> -

<%= raw(t(".comment_from", :link_user => (link_to h(diary_comment.user.display_name), user_path(diary_comment.user)), :comment_created_at => link_to(l(diary_comment.created_at, :format => :friendly), :anchor => "comment#{diary_comment.id}"))) %> +

<%= t(".comment_from_html", :link_user => (link_to h(diary_comment.user.display_name), user_path(diary_comment.user)), :comment_created_at => link_to(l(diary_comment.created_at, :format => :friendly), :anchor => "comment#{diary_comment.id}")) %> <% if current_user and diary_comment.user.id != current_user.id %> | <%= report_link(t(".report"), diary_comment) %> <% end %> diff --git a/app/views/diary_entries/_diary_entry.html.erb b/app/views/diary_entries/_diary_entry.html.erb index ef983ebde..5508817a8 100644 --- a/app/views/diary_entries/_diary_entry.html.erb +++ b/app/views/diary_entries/_diary_entry.html.erb @@ -7,7 +7,7 @@

<%= link_to h(diary_entry.title), diary_entry_path(diary_entry.user, diary_entry) %>

- <%= raw(t(".posted_by", :link_user => (link_to h(diary_entry.user.display_name), user_path(diary_entry.user)), :created => l(diary_entry.created_at, :format => :blog), :language_link => (link_to h(diary_entry.language.name), :controller => "diary_entries", :action => "index", :display_name => nil, :language => diary_entry.language_code))) %> + <%= t(".posted_by_html", :link_user => (link_to h(diary_entry.user.display_name), user_path(diary_entry.user)), :created => l(diary_entry.created_at, :format => :blog), :language_link => (link_to diary_entry.language.name, :controller => "diary_entries", :action => "index", :display_name => nil, :language => diary_entry.language_code)) %>
diff --git a/app/views/diary_entries/show.html.erb b/app/views/diary_entries/show.html.erb index 1cc1e1c53..d8f4cd8f5 100644 --- a/app/views/diary_entries/show.html.erb +++ b/app/views/diary_entries/show.html.erb @@ -29,7 +29,7 @@
<%= link_to t("javascripts.changesets.show.subscribe"), diary_entry_subscribe_path(:display_name => @entry.user.display_name, :id => @entry.id), :method => :post, :class => :button %>
<% end %> <% else %> -

<%= raw t(".login_to_leave_a_comment", :login_link => link_to(t(".login"), :controller => "users", :action => "login", :referer => request.fullpath)) %>

+

<%= t(".login_to_leave_a_comment_html", :login_link => link_to(t(".login"), :controller => "users", :action => "login", :referer => request.fullpath)) %>

<% end %> diff --git a/app/views/messages/inbox.html.erb b/app/views/messages/inbox.html.erb index 40bb8e8a3..c3065f911 100644 --- a/app/views/messages/inbox.html.erb +++ b/app/views/messages/inbox.html.erb @@ -24,5 +24,5 @@ <% else %> -
<%= raw(t(".no_messages_yet", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user)))) %>
+
<%= t(".no_messages_yet_html", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user))) %>
<% end %> diff --git a/app/views/messages/new.html.erb b/app/views/messages/new.html.erb index 2429feb52..2aac33efa 100644 --- a/app/views/messages/new.html.erb +++ b/app/views/messages/new.html.erb @@ -1,5 +1,5 @@ <% content_for :heading do %> -

<%= raw(t(".send_message_to", :name => link_to(h(@message.recipient.display_name), user_path(@message.recipient)))) %>

+

<%= t(".send_message_to_html", :name => link_to(h(@message.recipient.display_name), user_path(@message.recipient))) %>

<% end %> <%= error_messages_for "message" %> diff --git a/app/views/messages/outbox.html.erb b/app/views/messages/outbox.html.erb index a06e18838..806f1207a 100644 --- a/app/views/messages/outbox.html.erb +++ b/app/views/messages/outbox.html.erb @@ -3,7 +3,7 @@ <% end %> <% content_for :heading do %> -

<%= raw(t(".my_inbox", :inbox_link => link_to(t(".inbox"), inbox_messages_path))) %>/<%= t ".outbox" %>

+

<%= t(".my_inbox_html", :inbox_link => link_to(t(".inbox"), inbox_messages_path)) %>/<%= t ".outbox" %>

<% end %>

<%= t ".messages", :count => current_user.sent_messages.size %>

@@ -23,5 +23,5 @@ <% else %> -
<%= raw(t(".no_sent_messages", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user)))) %>
+
<%= t(".no_sent_messages_html", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user))) %>
<% end %> diff --git a/app/views/site/_potlatch2.html.erb b/app/views/site/_potlatch2.html.erb index 11519c26e..bab612491 100644 --- a/app/views/site/_potlatch2.html.erb +++ b/app/views/site/_potlatch2.html.erb @@ -15,5 +15,5 @@ <% end %> <% data[:locale] = Locale.list(Potlatch2::LOCALES.keys).preferred(preferred_languages).to_s -%> <% data[:locale_path] = asset_path("potlatch2/locales/#{Potlatch2::LOCALES[data[:locale]]}.swf") -%> - <%= content_tag :div, raw(t("site.edit.flash_player_required")), :id => "potlatch", :data => data %> + <%= content_tag :div, t("site.edit.flash_player_required_html"), :id => "potlatch", :data => data %> diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 7e8b45185..011226109 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -183,7 +183,7 @@ <% if current_user and @user.id == current_user.id %> <% if @user.home_lat.nil? or @user.home_lon.nil? %>
-

<%= raw(t(".if set location", :settings_link => (link_to t(".settings_link_text"), :controller => "users", :action => "account", :display_name => current_user.display_name))) %>

+

<%= t(".if_set_location_html", :settings_link => (link_to t(".settings_link_text"), :controller => "users", :action => "account", :display_name => current_user.display_name)) %>

<% else %> <% content_for :head do %> diff --git a/config/locales/en.yml b/config/locales/en.yml index b99e068b8..6d1ea92dd 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -373,14 +373,14 @@ en: title: "%{user}'s diary | %{title}" user_title: "%{user}'s diary" leave_a_comment: "Leave a comment" - login_to_leave_a_comment: "%{login_link} to leave a comment" + login_to_leave_a_comment_html: "%{login_link} to leave a comment" login: "Login" no_such_entry: title: "No such diary entry" heading: "No entry with the id: %{id}" body: "Sorry, there is no diary entry or comment with the id %{id}. Please check your spelling, or maybe the link you clicked is wrong." diary_entry: - posted_by: "Posted by %{link_user} on %{created} in %{language_link}" + posted_by_html: "Posted by %{link_user} on %{created} in %{language_link}" comment_link: Comment on this entry reply_link: Reply to this entry comment_count: @@ -393,7 +393,7 @@ en: confirm: Confirm report: Report this entry diary_comment: - comment_from: "Comment from %{link_user} on %{comment_created_at}" + comment_from_html: "Comment from %{link_user} on %{comment_created_at}" hide_link: Hide this comment unhide_link: Unhide this comment confirm: Confirm @@ -1273,7 +1273,7 @@ en: from: "From" subject: "Subject" date: "Date" - no_messages_yet: "You have no messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?" + no_messages_yet_html: "You have no messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?" people_mapping_nearby: "people mapping nearby" message_summary: unread_button: "Mark as unread" @@ -1282,7 +1282,7 @@ en: destroy_button: "Delete" new: title: "Send message" - send_message_to: "Send a new message to %{name}" + send_message_to_html: "Send a new message to %{name}" subject: "Subject" body: "Body" back_to_inbox: "Back to inbox" @@ -1295,7 +1295,7 @@ en: body: "Sorry there is no message with that id." outbox: title: "Outbox" - my_inbox: "My %{inbox_link}" + my_inbox_html: "My %{inbox_link}" inbox: "inbox" outbox: "outbox" messages: @@ -1304,7 +1304,7 @@ en: to: "To" subject: "Subject" date: "Date" - no_sent_messages: "You have no sent messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?" + no_sent_messages_html: "You have no sent messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?" people_mapping_nearby: "people mapping nearby" reply: wrong_user: "You are logged in as `%{user}' but the message you have asked to reply to was not sent to that user. Please login as the correct user in order to reply." @@ -1526,7 +1526,7 @@ en: anon_edits: "(%{link})" anon_edits_link: "https://wiki.openstreetmap.org/wiki/Disabling_anonymous_edits" anon_edits_link_text: "Find out why this is the case." - flash_player_required: 'You need a Flash player to use Potlatch, the OpenStreetMap Flash editor. You can download Flash Player from Adobe.com. Several other options are also available for editing OpenStreetMap.' + flash_player_required_html: 'You need a Flash player to use Potlatch, the OpenStreetMap Flash editor. You can download Flash Player from Adobe.com. Several other options are also available for editing OpenStreetMap.' potlatch_unsaved_changes: "You have unsaved changes. (To save in Potlatch, you should deselect the current way or point, if editing in live mode, or click save if you have a save button.)" potlatch2_not_configured: "Potlatch 2 has not been configured - please see https://wiki.openstreetmap.org/wiki/The_Rails_Port#Potlatch_2 for more information" potlatch2_unsaved_changes: "You have unsaved changes. (To save in Potlatch 2, you should click save.)" @@ -2142,7 +2142,7 @@ en: spam score: "Spam Score:" description: Description user location: User location - if set location: "Set your home location on the %{settings_link} page to see nearby users." + if_set_location_html: "Set your home location on the %{settings_link} page to see nearby users." settings_link_text: settings my friends: My friends no friends: You have not added any friends yet. From 217f61663048cb3040663d607364ab10937dbe9a Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Fri, 20 Dec 2019 14:32:00 +0100 Subject: [PATCH 2/6] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- app/views/site/about.html.erb | 2 +- app/views/user_blocks/blocks_by.html.erb | 2 +- app/views/user_blocks/blocks_on.html.erb | 2 +- app/views/user_blocks/edit.html.erb | 6 +++--- app/views/user_blocks/new.html.erb | 6 +++--- app/views/user_blocks/revoke.html.erb | 10 +++++----- app/views/user_blocks/show.html.erb | 10 +++++----- app/views/users/login.html.erb | 2 +- app/views/users/new.html.erb | 4 ++-- config/locales/en.yml | 18 +++++++++--------- 10 files changed, 31 insertions(+), 31 deletions(-) diff --git a/app/views/site/about.html.erb b/app/views/site/about.html.erb index 886aaf006..3f310be5b 100644 --- a/app/views/site/about.html.erb +++ b/app/views/site/about.html.erb @@ -5,7 +5,7 @@
-

<%= raw t ".used_by", :name => "OpenStreetMap" %>

+

<%= t ".used_by_html", :name => content_tag(:span, "OpenStreetMap", :class => "user-name") %>

diff --git a/app/views/user_blocks/blocks_by.html.erb b/app/views/user_blocks/blocks_by.html.erb index 284052a7b..6b4e60daa 100644 --- a/app/views/user_blocks/blocks_by.html.erb +++ b/app/views/user_blocks/blocks_by.html.erb @@ -1,6 +1,6 @@ <% @title = t(".title", :name => h(@user.display_name)) %> <% content_for :heading do %> -

<%= raw(t(".heading", :name => link_to(h(@user.display_name), user_path(@user)))) %>

+

<%= t(".heading_html", :name => link_to(@user.display_name, user_path(@user))) %>

<% end %> <% unless @user_blocks.empty? %> diff --git a/app/views/user_blocks/blocks_on.html.erb b/app/views/user_blocks/blocks_on.html.erb index bb71d48c8..cfdc9abf1 100644 --- a/app/views/user_blocks/blocks_on.html.erb +++ b/app/views/user_blocks/blocks_on.html.erb @@ -1,6 +1,6 @@ <% @title = t(".title", :name => h(@user.display_name)) %> <% content_for :heading do %> -

<%= raw(t(".heading", :name => link_to(h(@user.display_name), user_path(@user)))) %>

+

<%= t(".heading_html", :name => link_to(@user.display_name, user_path(@user))) %>

<% end %> <% unless @user_blocks.empty? %> <%= render :partial => "blocks", :locals => { :show_revoke_link => can?(:revoke, UserBlock), :show_user_name => false, :show_creator_name => true } %> diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb index 88d7e4f23..69ab5f9f3 100644 --- a/app/views/user_blocks/edit.html.erb +++ b/app/views/user_blocks/edit.html.erb @@ -1,8 +1,8 @@ <% @title = t ".title", :name => h(@user_block.user.display_name) %> <% content_for :heading do %> -

<%= raw t(".title", - :name => link_to(h(@user_block.user.display_name), - user_path(@user_block.user))) %>

+

<%= t(".heading_html", + :name => link_to(@user_block.user.display_name, + user_path(@user_block.user))) %>

  • <%= link_to t(".show"), @user_block %>
  • <%= link_to t(".back"), user_blocks_path %>
    • diff --git a/app/views/user_blocks/new.html.erb b/app/views/user_blocks/new.html.erb index bd492a354..18b03eda9 100644 --- a/app/views/user_blocks/new.html.erb +++ b/app/views/user_blocks/new.html.erb @@ -1,8 +1,8 @@ <% @title = t ".title", :name => h(@user.display_name) %> <% content_for :heading do %> -

    <%= raw t(".heading", - :name => link_to(h(@user.display_name), - user_path(@user))) %>

    +

    <%= t(".heading_html", + :name => link_to(@user.display_name, + user_path(@user))) %>

    <% end %> <%= form_for(@user_block) do |f| %> <%= f.error_messages %> diff --git a/app/views/user_blocks/revoke.html.erb b/app/views/user_blocks/revoke.html.erb index 9bd7df5ae..df48747dd 100644 --- a/app/views/user_blocks/revoke.html.erb +++ b/app/views/user_blocks/revoke.html.erb @@ -3,11 +3,11 @@ :block_by => h(@user_block.creator.display_name)) %> <% content_for :heading do %> -

    <%= raw t(".heading", - :block_on => link_to(h(@user_block.user.display_name), - user_path(@user_block.user)), - :block_by => link_to(h(@user_block.creator.display_name), - user_path(@user_block.creator))) %>

    +

    <%= t(".heading_html", + :block_on => link_to(@user_block.user.display_name, + user_path(@user_block.user)), + :block_by => link_to(@user_block.creator.display_name, + user_path(@user_block.creator))) %>

    <% end %> <% if @user_block.ends_at > Time.now %> diff --git a/app/views/user_blocks/show.html.erb b/app/views/user_blocks/show.html.erb index 7e225bf14..6bfb412ef 100644 --- a/app/views/user_blocks/show.html.erb +++ b/app/views/user_blocks/show.html.erb @@ -3,11 +3,11 @@ :block_by => @user_block.creator.display_name) %> <% content_for :heading do %> -

    <%= raw t(".heading", - :block_on => link_to(h(@user_block.user.display_name), - user_path(@user_block.user)), - :block_by => link_to(h(@user_block.creator.display_name), - user_path(@user_block.creator))) %>

    +

    <%= t(".heading_html", + :block_on => link_to(@user_block.user.display_name, + user_path(@user_block.user)), + :block_by => link_to(@user_block.creator.display_name, + user_path(@user_block.creator))) %>

      <% if @user_block.ends_at > Time.now.getutc %> <% if current_user and current_user.id == @user_block.creator_id %> diff --git a/app/views/users/login.html.erb b/app/views/users/login.html.erb index 9bfa23cbc..b10a2b291 100644 --- a/app/views/users/login.html.erb +++ b/app/views/users/login.html.erb @@ -74,7 +74,7 @@
    - + <%= hidden_field_tag("openid_referer", params[:referer]) if params[:referer] %> <%= text_field_tag("openid_url", "", :tabindex => 3, :class => "openid_url") %> (" target="_new"><%= t "users.account.openid.link text" %>) diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index 0cb70d2d5..fc62f0708 100644 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -26,7 +26,7 @@ <%= f.email_field(:email_confirmation, :tabindex => 2) %> <%= f.error_message_on(:email_confirmation) %>
    - <%= raw(t(".not displayed publicly")) %> + <%= t(".not_displayed_publicly_html") %>
    @@ -43,7 +43,7 @@
    <%= f.select(:auth_provider, Auth::PROVIDERS, :default => "", :tabindex => 4) %> <%= f.text_field(:auth_uid, :tabindex => 5) %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 6d1ea92dd..fbd31e4b0 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1330,7 +1330,7 @@ en: about: next: Next copyright_html: ©OpenStreetMap
    contributors - used_by: "%{name} powers map data on thousands of web sites, mobile apps, and hardware devices" + used_by_html: "%{name} powers map data on thousands of web sites, mobile apps, and hardware devices" lede_text: | OpenStreetMap is built by a community of mappers that contribute and maintain data about roads, trails, cafés, railway stations, and much more, all over the world. @@ -1996,7 +1996,7 @@ en: heading: "Login" email or username: "Email Address or Username:" password: "Password:" - openid: "%{logo} OpenID:" + openid_html: "%{logo} OpenID:" remember: "Remember me" lost password link: "Lost your password?" login_button: "Login" @@ -2072,7 +2072,7 @@ en: license_agreement: 'When you confirm your account you will need to agree to the contributor terms.' email address: "Email Address:" confirm email address: "Confirm Email Address:" - not displayed publicly: 'Your address is not displayed publicly, see our privacy policy for more information' + not_displayed_publicly_html: 'Your address is not displayed publicly, see our privacy policy for more information' display name: "Display Name:" display name description: "Your publicly displayed username. You can change this later in the preferences." external auth: "Third Party Authentication:" @@ -2335,7 +2335,7 @@ en: back: "Back to index" new: title: "Creating block on %{name}" - heading: "Creating block on %{name}" + heading_html: "Creating block on %{name}" reason: "The reason why %{name} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation, remembering that the message will be publicly visible. Bear in mind that not all users understand the community jargon, so please try to use laymans terms." period: "How long, starting now, the user will be blocked from the API for." tried_contacting: "I have contacted the user and asked them to stop." @@ -2344,7 +2344,7 @@ en: back: "View all blocks" edit: title: "Editing block on %{name}" - heading: "Editing block on %{name}" + heading_html: "Editing block on %{name}" reason: "The reason why %{name} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation. Bear in mind that not all users understand the community jargon, so please try to use laymans terms." period: "How long, starting now, the user will be blocked from the API for." show: "View this block" @@ -2366,7 +2366,7 @@ en: empty: "No blocks have been made yet." revoke: title: "Revoking block on %{block_on}" - heading: "Revoking block on %{block_on} by %{block_by}" + heading_html: "Revoking block on %{block_on} by %{block_by}" time_future: "This block will end in %{time}." past: "This block ended %{time} and cannot be revoked now." confirm: "Are you sure you wish to revoke this block?" @@ -2395,15 +2395,15 @@ en: other: "%{count} years" blocks_on: title: "Blocks on %{name}" - heading: "List of blocks on %{name}" + heading_html: "List of blocks on %{name}" empty: "%{name} has not been blocked yet." blocks_by: title: "Blocks by %{name}" - heading: "List of blocks by %{name}" + heading_html: "List of blocks by %{name}" empty: "%{name} has not made any blocks yet." show: title: "%{block_on} blocked by %{block_by}" - heading: "%{block_on} blocked by %{block_by}" + heading_html: "%{block_on} blocked by %{block_by}" created: "Created" status: "Status" show: "Show" From dddef7672e37e85e14af7aa2ffbd95214bd2689f Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Sun, 22 Dec 2019 11:28:18 +0100 Subject: [PATCH 3/6] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- app/views/site/_potlatch.html.erb | 2 +- app/views/site/edit.html.erb | 4 ++-- app/views/site/export.html.erb | 2 +- app/views/users/account.html.erb | 2 +- app/views/users/blocked.html.erb | 2 +- app/views/users/suspended.html.erb | 2 +- app/views/users/terms.html.erb | 6 +++--- config/locales/en.yml | 14 +++++++------- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/app/views/site/_potlatch.html.erb b/app/views/site/_potlatch.html.erb index 3ebcf7fab..fedecbae8 100644 --- a/app/views/site/_potlatch.html.erb +++ b/app/views/site/_potlatch.html.erb @@ -6,5 +6,5 @@ <% data[:lat] = @lat if @lat -%> <% data[:lon] = @lon if @lon -%> <% data[:zoom] = @zoom if @zoom -%> - <%= content_tag :div, raw(t("site.edit.flash_player_required")), :id => "potlatch", :data => data %> + <%= content_tag :div, t("site.edit.flash_player_required_html"), :id => "potlatch", :data => data %>
    diff --git a/app/views/site/edit.html.erb b/app/views/site/edit.html.erb index 1dba95e5d..d991adf39 100644 --- a/app/views/site/edit.html.erb +++ b/app/views/site/edit.html.erb @@ -5,8 +5,8 @@

    <%= t "layouts.osm_read_only" %>

    <% elsif !current_user.data_public? %>

    <%= t ".not_public" %>

    -

    <%= raw t ".not_public_description", :user_page => (link_to t(".user_page_link"), :controller => "users", :action => "account", :display_name => current_user.display_name, :anchor => "public") %>

    -

    <%= raw t "site.edit.anon_edits", :link => link_to(t(".anon_edits_link_text"), t(".anon_edits_link")) %>

    +

    <%= t ".not_public_description_html", :user_page => (link_to t(".user_page_link"), :controller => "users", :action => "account", :display_name => current_user.display_name, :anchor => "public") %>

    +

    <%= t ".anon_edits_html", :link => link_to(t(".anon_edits_link_text"), t(".anon_edits_link")) %>

    <% else %> <%= render :partial => preferred_editor %> <% end %> diff --git a/app/views/site/export.html.erb b/app/views/site/export.html.erb index 4af1a0ff3..f1eed33cf 100644 --- a/app/views/site/export.html.erb +++ b/app/views/site/export.html.erb @@ -21,7 +21,7 @@

<%= t ".licence" %>

-

<%= raw t ".export_details" %>

+

<%= t ".export_details_html" %>

diff --git a/app/views/users/account.html.erb b/app/views/users/account.html.erb index 7fd6929ca..4021e5c08 100644 --- a/app/views/users/account.html.erb +++ b/app/views/users/account.html.erb @@ -175,6 +175,6 @@ <% unless current_user.data_public? %>

<%= t ".public editing note.heading" %>

-<%= raw t ".public editing note.text" %> +<%= t ".public editing note.html" %> <%= button_to t(".make edits public button"), :action => :go_public %> <% end %> diff --git a/app/views/users/blocked.html.erb b/app/views/users/blocked.html.erb index 2b2ff06f6..5e6505cac 100644 --- a/app/views/users/blocked.html.erb +++ b/app/views/users/blocked.html.erb @@ -6,5 +6,5 @@

<%= t "users.new.no_auto_account_create" %>

-

<%= raw t "users.new.contact_webmaster", :webmaster => "mailto:#{Settings.support_email}" %>

+

<%= t "users.new.contact_webmaster_html", :webmaster => "mailto:#{Settings.support_email}" %>

diff --git a/app/views/users/suspended.html.erb b/app/views/users/suspended.html.erb index 3a2df498a..002c632dd 100644 --- a/app/views/users/suspended.html.erb +++ b/app/views/users/suspended.html.erb @@ -4,4 +4,4 @@

<%= t ".heading" %>

<% end %> -<%= raw t ".body", :webmaster => link_to(t(".webmaster"), "mailto:#{Settings.support_email}") %> +<%= t ".body_html", :webmaster => link_to(t(".webmaster"), "mailto:#{Settings.support_email}") %> diff --git a/app/views/users/terms.html.erb b/app/views/users/terms.html.erb index d4a9fa0bd..97c1c7bf7 100644 --- a/app/views/users/terms.html.erb +++ b/app/views/users/terms.html.erb @@ -35,9 +35,9 @@

- <%= raw t ".guidance", - :summary => "https://www.osmfoundation.org/wiki/License/Contributor_Terms_Summary", - :translations => "https://www.osmfoundation.org/wiki/License/Contributor_Terms/Informal_Translations" %> + <%= t ".guidance_html", + :summary => "https://www.osmfoundation.org/wiki/License/Contributor_Terms_Summary", + :translations => "https://www.osmfoundation.org/wiki/License/Contributor_Terms/Informal_Translations" %>

diff --git a/config/locales/en.yml b/config/locales/en.yml index fbd31e4b0..9e2e6dbb7 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1521,9 +1521,9 @@ en: remote_failed: "Editing failed - make sure JOSM or Merkaartor is loaded and the remote control option is enabled" edit: not_public: "You have not set your edits to be public." - not_public_description: "You can no longer edit the map unless you do so. You can set your edits as public from your %{user_page}." + not_public_description_html: "You can no longer edit the map unless you do so. You can set your edits as public from your %{user_page}." user_page_link: user page - anon_edits: "(%{link})" + anon_edits_html: "(%{link})" anon_edits_link: "https://wiki.openstreetmap.org/wiki/Disabling_anonymous_edits" anon_edits_link_text: "Find out why this is the case." flash_player_required_html: 'You need a Flash player to use Potlatch, the OpenStreetMap Flash editor. You can download Flash Player from Adobe.com. Several other options are also available for editing OpenStreetMap.' @@ -1541,7 +1541,7 @@ en: map_image: "Map Image (shows standard layer)" embeddable_html: "Embeddable HTML" licence: "Licence" - export_details: 'OpenStreetMap data is licensed under the Open Data Commons Open Database License (ODbL).' + export_details_html: 'OpenStreetMap data is licensed under the Open Data Commons Open Database License (ODbL).' too_large: advice: "If the above export fails, please consider using one of the sources listed below:" body: "This area is too large to be exported as OpenStreetMap XML Data. Please zoom in or select a smaller area, or use one of the sources listed below for bulk data downloads." @@ -2062,7 +2062,7 @@ en: new: title: "Sign Up" no_auto_account_create: "Unfortunately we are not currently able to create an account for you automatically." - contact_webmaster: 'Please contact the webmaster to arrange for an account to be created - we will try and deal with the request as quickly as possible.' + contact_webmaster_html: 'Please contact the webmaster to arrange for an account to be created - we will try and deal with the request as quickly as possible.' about: header: Free and editable html: | @@ -2096,7 +2096,7 @@ en: consider_pd: "In addition to the above, I consider my contributions to be in the Public Domain" consider_pd_why: "what's this?" consider_pd_why_url: https://www.osmfoundation.org/wiki/License/Why_would_I_want_my_contributions_to_be_public_domain - guidance: 'Information to help understand these terms: a human readable summary and some informal translations' + guidance_html: 'Information to help understand these terms: a human readable summary and some informal translations' continue: Continue declined: "https://wiki.openstreetmap.org/wiki/Contributor_Terms_Declined" decline: "Decline" @@ -2198,7 +2198,7 @@ en: disabled link text: "why can't I edit?" public editing note: heading: "Public editing" - text: "Currently your edits are anonymous and people cannot send you messages or see your location. To show what you edited and allow people to contact you through the website, click the button below. Since the 0.6 API changeover, only public users can edit map data. (find out why).
  • Your email address will not be revealed by becoming public.
  • This action cannot be reversed and all new users are now public by default.
" + html: "Currently your edits are anonymous and people cannot send you messages or see your location. To show what you edited and allow people to contact you through the website, click the button below. Since the 0.6 API changeover, only public users can edit map data. (find out why).
  • Your email address will not be revealed by becoming public.
  • This action cannot be reversed and all new users are now public by default.
" contributor terms: heading: "Contributor Terms:" agreed: "You have agreed to the new Contributor Terms." @@ -2284,7 +2284,7 @@ en: title: Account Suspended heading: Account Suspended webmaster: webmaster - body: | + body_html: |

Sorry, your account has been automatically suspended due to suspicious activity. From 8dba8cd4a0deafc51ea5b1efcd91754b68f5bff8 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Thu, 2 Jan 2020 17:13:41 +0100 Subject: [PATCH 4/6] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- .../browse/_containing_relation.html.erb | 4 +-- app/views/browse/_relation_member.html.erb | 4 +-- app/views/browse/_way.html.erb | 2 +- app/views/browse/feature.html.erb | 2 +- app/views/geocoder/search.html.erb | 2 +- app/views/site/copyright.html.erb | 26 +++++++-------- config/locales/en.yml | 32 +++++++++---------- 7 files changed, 36 insertions(+), 36 deletions(-) diff --git a/app/views/browse/_containing_relation.html.erb b/app/views/browse/_containing_relation.html.erb index b3cb90cec..ba05c1fe4 100644 --- a/app/views/browse/_containing_relation.html.erb +++ b/app/views/browse/_containing_relation.html.erb @@ -1,7 +1,7 @@

  • <%= linked_name = link_to h(printable_name(containing_relation.relation)), :action => "relation", :id => containing_relation.relation.id.to_s if containing_relation.member_role.blank? - raw t ".entry", :relation_name => linked_name + t ".entry_html", :relation_name => linked_name else - raw t ".entry_role", :relation_name => linked_name, :relation_role => h(containing_relation.member_role) + t ".entry_role_html", :relation_name => linked_name, :relation_role => h(containing_relation.member_role) end %>
    • diff --git a/app/views/browse/_relation_member.html.erb b/app/views/browse/_relation_member.html.erb index bb37bdf21..fe0f36357 100644 --- a/app/views/browse/_relation_member.html.erb +++ b/app/views/browse/_relation_member.html.erb @@ -3,8 +3,8 @@ type_str = t ".type." + relation_member.member_type.downcase %>
  • <%= if relation_member.member_role.blank? - raw t ".entry", :type => type_str, :name => linked_name + t ".entry_html", :type => type_str, :name => linked_name else - raw t ".entry_role", :type => type_str, :name => linked_name, :role => h(relation_member.member_role) + t ".entry_role_html", :type => type_str, :name => linked_name, :role => h(relation_member.member_role) end %>
    • diff --git a/app/views/browse/_way.html.erb b/app/views/browse/_way.html.erb index ed206c59b..5560344a8 100644 --- a/app/views/browse/_way.html.erb +++ b/app/views/browse/_way.html.erb @@ -25,7 +25,7 @@ <%= link_to printable_name(wn.node), { :action => "node", :id => wn.node_id.to_s }, { :class => link_class("node", wn.node), :title => link_title(wn.node), :rel => link_follow(wn.node) } %> <% related_ways = wn.node.ways.reject { |w| w.id == wn.way_id } %> <% if related_ways.size > 0 then %> - (<%= raw t ".also_part_of", :count => related_ways.size, :related_ways => related_ways.map { |w| link_to(printable_name(w), { :action => "way", :id => w.id.to_s }, { :class => link_class("way", w), :title => link_title(w) }) }.to_sentence %>) + (<%= t ".also_part_of_html", :count => related_ways.size, :related_ways => to_sentence(related_ways.map { |w| link_to(printable_name(w), { :action => "way", :id => w.id.to_s }, { :class => link_class("way", w), :title => link_title(w) }) }) %>) <% end %> <% end %> diff --git a/app/views/browse/feature.html.erb b/app/views/browse/feature.html.erb index 6c94b0a9d..7dfccb290 100644 --- a/app/views/browse/feature.html.erb +++ b/app/views/browse/feature.html.erb @@ -2,7 +2,7 @@

    - <%= raw t("browse.#{@type}.title", :name => printable_name(@feature)) %> + <%= t("browse.#{@type}.title_html", :name => printable_name(@feature)) %>

    <%= render :partial => @type, :object => @feature %> diff --git a/app/views/geocoder/search.html.erb b/app/views/geocoder/search.html.erb index 3eb9561a2..13144d568 100644 --- a/app/views/geocoder/search.html.erb +++ b/app/views/geocoder/search.html.erb @@ -5,7 +5,7 @@ <%= t("site.sidebar.search_results") %> <% @sources.each do |source| %> -

    <%= raw(t(".title.#{source}")) %>

    +

    <%= t(".title.#{source}_html") %>

    "> <%= image_tag "searching.gif", :class => "loader" %>
    diff --git a/app/views/site/copyright.html.erb b/app/views/site/copyright.html.erb index feec81c82..c6a0348df 100644 --- a/app/views/site/copyright.html.erb +++ b/app/views/site/copyright.html.erb @@ -6,14 +6,14 @@ <%= tag.h1 :lang => @locale, :dir => t("html.dir", :locale => @locale) do %>

    <%= t ".native.title" %>

    - <%= raw t ".native.text", - :native_link => link_to(t(".native.native_link"), - :controller => "site", - :action => "copyright", - :copyright_locale => nil), - :mapping_link => link_to(t(".native.mapping_link"), - :controller => "site", - :action => "index") %> + <%= t ".native.html", + :native_link => link_to(t(".native.native_link"), + :controller => "site", + :action => "copyright", + :copyright_locale => nil), + :mapping_link => link_to(t(".native.mapping_link"), + :controller => "site", + :action => "index") %>

    <% end %>
    @@ -24,11 +24,11 @@ <% if t(".legal_babble", :locale => @locale) != t(".legal_babble", :locale => :en) %>

    <%= t ".foreign.title" %>

    - <%= raw t ".foreign.text", - :english_original_link => link_to(t(".foreign.english_link"), - :controller => "site", - :action => "copyright", - :copyright_locale => "en") %> + <%= t ".foreign.html", + :english_original_link => link_to(t(".foreign.english_link"), + :controller => "site", + :action => "copyright", + :copyright_locale => "en") %>

    <% end %>
    diff --git a/config/locales/en.yml b/config/locales/en.yml index 9e2e6dbb7..31531a656 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -221,29 +221,29 @@ en: discussion: Discussion still_open: "Changeset still open - discussion will open once the changeset is closed." node: - title: "Node: %{name}" + title_html: "Node: %{name}" history_title: "Node History: %{name}" way: - title: "Way: %{name}" + title_html: "Way: %{name}" history_title: "Way History: %{name}" nodes: "Nodes" - also_part_of: + also_part_of_html: one: "part of way %{related_ways}" other: "part of ways %{related_ways}" relation: - title: "Relation: %{name}" + title_html: "Relation: %{name}" history_title: "Relation History: %{name}" members: "Members" relation_member: - entry: "%{type} %{name}" - entry_role: "%{type} %{name} as %{role}" + entry_html: "%{type} %{name}" + entry_role_html: "%{type} %{name} as %{role}" type: node: "Node" way: "Way" relation: "Relation" containing_relation: - entry: "Relation %{relation_name}" - entry_role: "Relation %{relation_name} (as %{relation_role})" + entry_html: "Relation %{relation_name}" + entry_role_html: "Relation %{relation_name} (as %{relation_role})" not_found: sorry: "Sorry, %{type} #%{id} could not be found." type: @@ -422,12 +422,12 @@ en: geocoder: search: title: - latlon: 'Results from Internal' - ca_postcode: 'Results from Geocoder.CA' - osm_nominatim: 'Results from OpenStreetMap Nominatim' - geonames: 'Results from GeoNames' - osm_nominatim_reverse: 'Results from OpenStreetMap Nominatim' - geonames_reverse: 'Results from GeoNames' + latlon_html: 'Results from Internal' + ca_postcode_html: 'Results from Geocoder.CA' + osm_nominatim_html: 'Results from OpenStreetMap Nominatim' + geonames_html: 'Results from GeoNames' + osm_nominatim_reverse_html: 'Results from OpenStreetMap Nominatim' + geonames_reverse_html: 'Results from GeoNames' search_osm_nominatim: prefix_format: "%{name}" prefix: @@ -1373,11 +1373,11 @@ en: copyright: foreign: title: About this translation - text: In the event of a conflict between this translated page and %{english_original_link}, the English page shall take precedence + html: In the event of a conflict between this translated page and %{english_original_link}, the English page shall take precedence english_link: the English original native: title: About this page - text: You are viewing the English version of the copyright page. You can go back to the %{native_link} of this page or you can stop reading about copyright and %{mapping_link}. + html: You are viewing the English version of the copyright page. You can go back to the %{native_link} of this page or you can stop reading about copyright and %{mapping_link}. native_link: THIS_LANGUAGE_NAME_HERE version mapping_link: start mapping legal_babble: From 5aa255e13fd5a9adfd7258cd7048466fc63f2347 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Thu, 2 Jan 2020 17:43:34 +0100 Subject: [PATCH 5/6] Use _html suffix to avoid using raw when displaying translated strings This is safer than raw, since any user input is still escaped. --- app/views/browse/history.html.erb | 2 +- app/views/oauth/authorize.html.erb | 2 +- app/views/oauth/authorize_success.html.erb | 2 +- app/views/oauth_clients/index.html.erb | 2 +- app/views/users/_user.html.erb | 14 +++++++------- app/views/users/new.html.erb | 2 +- config/locales/en.yml | 17 +++++++++-------- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/app/views/browse/history.html.erb b/app/views/browse/history.html.erb index 0a2c1811c..95b3fd317 100644 --- a/app/views/browse/history.html.erb +++ b/app/views/browse/history.html.erb @@ -2,7 +2,7 @@

    - <%= raw t("browse.#{@type}.history_title", :name => printable_name(@feature)) %> + <%= t("browse.#{@type}.history_title_html", :name => printable_name(@feature)) %>

    <%= render :partial => @type, :collection => @feature.send("old_#{@type}s").reverse %> diff --git a/app/views/oauth/authorize.html.erb b/app/views/oauth/authorize.html.erb index c480b4c99..5fd3c2fee 100644 --- a/app/views/oauth/authorize.html.erb +++ b/app/views/oauth/authorize.html.erb @@ -2,7 +2,7 @@

    <%= t ".title" %>

    <% end %> -

    <%= raw t(".request_access", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %>

    +

    <%= t(".request_access_html", :app_name => link_to(@token.client_application.name, @token.client_application.url), :user => link_to(current_user.display_name, user_path(current_user))) %>

    <%= form_tag authorize_url do %> <%= hidden_field_tag "oauth_token", @token.token %> diff --git a/app/views/oauth/authorize_success.html.erb b/app/views/oauth/authorize_success.html.erb index 9c817372f..63239a386 100644 --- a/app/views/oauth/authorize_success.html.erb +++ b/app/views/oauth/authorize_success.html.erb @@ -2,7 +2,7 @@

    <%= t ".title" %>

    <% end %> -

    <%= raw t(".allowed", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %>

    +

    <%= t(".allowed_html", :app_name => link_to(@token.client_application.name, @token.client_application.url)) %>

    <% if @token.oob? and not @token.oauth10? %>

    <%= t ".verification", :code => @token.verifier %>

    diff --git a/app/views/oauth_clients/index.html.erb b/app/views/oauth_clients/index.html.erb index 54bb4f9f6..738e01a74 100644 --- a/app/views/oauth_clients/index.html.erb +++ b/app/views/oauth_clients/index.html.erb @@ -29,7 +29,7 @@ <% end %>

    <%= t ".my_apps" %>

    <% if @client_applications.empty? %> -

    <%= raw(t(".no_apps", :oauth => "OAuth")) %>

    +

    <%= t(".no_apps_html", :oauth => link_to(t(".oauth"), "https://oauth.net" )) %>

    <% else %>

    <%= t ".registered_apps" %>

    <% @client_applications.each do |client| %> diff --git a/app/views/users/_user.html.erb b/app/views/users/_user.html.erb index beff4b0ae..c8fd4ac9e 100644 --- a/app/views/users/_user.html.erb +++ b/app/views/users/_user.html.erb @@ -7,14 +7,14 @@

    <% if user.creation_ip %> - <%= raw t "users.index.summary", - :name => link_to(h(user.display_name), user_path(user)), - :ip_address => link_to(user.creation_ip, :ip => user.creation_ip), - :date => l(user.creation_time, :format => :friendly) %> + <%= t "users.index.summary_html", + :name => link_to(h(user.display_name), user_path(user)), + :ip_address => link_to(user.creation_ip, :ip => user.creation_ip), + :date => l(user.creation_time, :format => :friendly) %> <% else %> - <%= raw t "users.index.summary_no_ip", - :name => link_to(h(user.display_name), user_path(user)), - :date => l(user.creation_time, :format => :friendly) %> + <%= t "users.index.summary_no_ip_html", + :name => link_to(h(user.display_name), user_path(user)), + :date => l(user.creation_time, :format => :friendly) %> <% end %>

    <%= user.description.to_html %>
    diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index fc62f0708..f4ff16408 100644 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -70,7 +70,7 @@
    - <%= link_to raw(t(".use external auth")), "#", :id => "auth_enable" %> + <%= link_to t(".use external auth"), "#", :id => "auth_enable" %>
    <%= submit_tag t(".continue"), :tabindex => 8 %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 31531a656..e1662571f 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -222,17 +222,17 @@ en: still_open: "Changeset still open - discussion will open once the changeset is closed." node: title_html: "Node: %{name}" - history_title: "Node History: %{name}" + history_title_html: "Node History: %{name}" way: title_html: "Way: %{name}" - history_title: "Way History: %{name}" + history_title_html: "Way History: %{name}" nodes: "Nodes" also_part_of_html: one: "part of way %{related_ways}" other: "part of ways %{related_ways}" relation: title_html: "Relation: %{name}" - history_title: "Relation History: %{name}" + history_title_html: "Relation History: %{name}" members: "Members" relation_member: entry_html: "%{type} %{name}" @@ -1911,7 +1911,7 @@ en: oauth: authorize: title: "Authorize access to your account" - request_access: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like." + request_access_html: "The application %{app_name} is requesting access to your account, %{user}. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like." allow_to: "Allow the client application to:" allow_read_prefs: "read your user preferences." allow_write_prefs: "modify your user preferences." @@ -1923,7 +1923,7 @@ en: grant_access: "Grant Access" authorize_success: title: "Authorization request allowed" - allowed: "You have granted application %{app_name} access to your account." + allowed_html: "You have granted application %{app_name} access to your account." verification: "The verification code is %{code}." authorize_failure: title: "Authorization request failed" @@ -1965,7 +1965,8 @@ en: issued_at: "Issued At" revoke: "Revoke!" my_apps: "My Client Applications" - no_apps: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service." + no_apps_html: "Do you have an application you would like to register for use with us using the %{oauth} standard? You must register your web application before it can make OAuth requests to this service." + oauth: OAuth registered_apps: "You have the following client applications registered:" register_new: "Register your application" form: @@ -2275,8 +2276,8 @@ en: showing: one: Page %{page} (%{first_item} of %{items}) other: Page %{page} (%{first_item}-%{last_item} of %{items}) - summary: "%{name} created from %{ip_address} on %{date}" - summary_no_ip: "%{name} created on %{date}" + summary_html: "%{name} created from %{ip_address} on %{date}" + summary_no_ip_html: "%{name} created on %{date}" confirm: Confirm Selected Users hide: Hide Selected Users empty: No matching users found From 53f2c36f1d4ea04ad3539dc3450f0af49d46a671 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Thu, 2 Jan 2020 18:07:23 +0100 Subject: [PATCH 6/6] Use ActionView's safe_join to avoid using raw when joining arrays of text --- app/views/traces/_trace.html.erb | 2 +- app/views/traces/show.html.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/traces/_trace.html.erb b/app/views/traces/_trace.html.erb index 1fde78790..c8433599f 100644 --- a/app/views/traces/_trace.html.erb +++ b/app/views/traces/_trace.html.erb @@ -24,7 +24,7 @@ <%= t ".by" %> <%= link_to h(trace.user.display_name), user_path(trace.user) %> <% if !trace.tags.empty? %> <%= t ".in" %> - <%= raw(trace.tags.collect { |tag| link_to_tag tag.tag }.join(", ")) %> + <%= safe_join(trace.tags.collect { |tag| link_to_tag tag.tag }, ", ") %> <% end %> diff --git a/app/views/traces/show.html.erb b/app/views/traces/show.html.erb index a9978fdc4..07134dbbd 100644 --- a/app/views/traces/show.html.erb +++ b/app/views/traces/show.html.erb @@ -40,7 +40,7 @@ <%= t ".tags" %> <% unless @trace.tags.empty? %> - <%= raw(@trace.tags.collect { |tag| link_to tag.tag, :controller => "traces", :action => "index", :tag => tag.tag, :id => nil }.join(", ")) %> + <%= safe_join(@trace.tags.collect { |tag| link_to tag.tag, :controller => "traces", :action => "index", :tag => tag.tag, :id => nil }, ", ") %> <% else %> <%= t ".none" %> <% end %>