Use _html suffix to avoid using raw when displaying translated strings

This is safer than raw, since any user input is still escaped.
2019-12-20 10:29:07 +01:00 · 2019-12-20 10:29:07 +01:00 · dfedf85b6c
commit dfedf85b6c
parent 01a506a254
9 changed files with 18 additions and 18 deletions
--- a/app/views/diary_entries/_diary_comment.html.erb
+++ b/app/views/diary_entries/_diary_comment.html.erb
@ -1,6 +1,6 @@
 <div class="clearfix diary-comment<%= " deemphasize" unless diary_comment.visible? %>">
  <%= user_thumbnail diary_comment.user %>
-  <p class="deemphasize comment-heading" id="comment<%= diary_comment.id %>"><%= raw(t(".comment_from", :link_user => (link_to h(diary_comment.user.display_name), user_path(diary_comment.user)), :comment_created_at => link_to(l(diary_comment.created_at, :format => :friendly), :anchor => "comment#{diary_comment.id}"))) %>
+  <p class="deemphasize comment-heading" id="comment<%= diary_comment.id %>"><%= t(".comment_from_html", :link_user => (link_to h(diary_comment.user.display_name), user_path(diary_comment.user)), :comment_created_at => link_to(l(diary_comment.created_at, :format => :friendly), :anchor => "comment#{diary_comment.id}")) %>
    <% if current_user and diary_comment.user.id != current_user.id %>
      | <%= report_link(t(".report"), diary_comment) %>
    <% end %>
--- a/app/views/diary_entries/_diary_entry.html.erb
+++ b/app/views/diary_entries/_diary_entry.html.erb
@ -7,7 +7,7 @@
    <h2><%= link_to h(diary_entry.title), diary_entry_path(diary_entry.user, diary_entry) %></h2>

    <small class='deemphasize'>
-      <%= raw(t(".posted_by", :link_user => (link_to h(diary_entry.user.display_name), user_path(diary_entry.user)), :created => l(diary_entry.created_at, :format => :blog), :language_link => (link_to h(diary_entry.language.name), :controller => "diary_entries", :action => "index", :display_name => nil, :language => diary_entry.language_code))) %>
+      <%= t(".posted_by_html", :link_user => (link_to h(diary_entry.user.display_name), user_path(diary_entry.user)), :created => l(diary_entry.created_at, :format => :blog), :language_link => (link_to diary_entry.language.name, :controller => "diary_entries", :action => "index", :display_name => nil, :language => diary_entry.language_code)) %>
    </small>

  </div>
--- a/app/views/diary_entries/show.html.erb
+++ b/app/views/diary_entries/show.html.erb
@ -29,7 +29,7 @@
      <div class="diary-subscribe-buttons"><%= link_to t("javascripts.changesets.show.subscribe"), diary_entry_subscribe_path(:display_name => @entry.user.display_name, :id => @entry.id), :method => :post, :class => :button %></div>
    <% end %>
  <% else %>
-    <h3 id="newcomment"><%= raw t(".login_to_leave_a_comment", :login_link => link_to(t(".login"), :controller => "users", :action => "login", :referer => request.fullpath)) %></h3>
+    <h3 id="newcomment"><%= t(".login_to_leave_a_comment_html", :login_link => link_to(t(".login"), :controller => "users", :action => "login", :referer => request.fullpath)) %></h3>
  <% end %>
 </div>

--- a/app/views/messages/inbox.html.erb
+++ b/app/views/messages/inbox.html.erb
@ -24,5 +24,5 @@
    </tbody>
  </table>
 <% else %>
-  <div><%= raw(t(".no_messages_yet", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user)))) %></div>
+  <div><%= t(".no_messages_yet_html", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user))) %></div>
 <% end %>
--- a/app/views/messages/new.html.erb
+++ b/app/views/messages/new.html.erb
@ -1,5 +1,5 @@
 <% content_for :heading do %>
-  <h2><%= raw(t(".send_message_to", :name => link_to(h(@message.recipient.display_name), user_path(@message.recipient)))) %></h2>
+  <h2><%= t(".send_message_to_html", :name => link_to(h(@message.recipient.display_name), user_path(@message.recipient))) %></h2>
 <% end %>

 <%= error_messages_for "message" %>
--- a/app/views/messages/outbox.html.erb
+++ b/app/views/messages/outbox.html.erb
@ -3,7 +3,7 @@
 <% end %>

 <% content_for :heading do %>
-  <h2><%= raw(t(".my_inbox", :inbox_link => link_to(t(".inbox"), inbox_messages_path))) %>/<%= t ".outbox" %></h2>
+  <h2><%= t(".my_inbox_html", :inbox_link => link_to(t(".inbox"), inbox_messages_path)) %>/<%= t ".outbox" %></h2>
 <% end %>

 <h4><%= t ".messages", :count => current_user.sent_messages.size %></h4>
@ -23,5 +23,5 @@
    </tbody>
  </table>
 <% else %>
-  <div class="messages"><%= raw(t(".no_sent_messages", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user)))) %></div>
+  <div class="messages"><%= t(".no_sent_messages_html", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user))) %></div>
 <% end %>
--- a/app/views/site/_potlatch2.html.erb
+++ b/app/views/site/_potlatch2.html.erb
@ -15,5 +15,5 @@
  <% end %>
  <% data[:locale] = Locale.list(Potlatch2::LOCALES.keys).preferred(preferred_languages).to_s -%>
  <% data[:locale_path] = asset_path("potlatch2/locales/#{Potlatch2::LOCALES[data[:locale]]}.swf") -%>
-  <%= content_tag :div, raw(t("site.edit.flash_player_required")), :id => "potlatch", :data => data %>
+  <%= content_tag :div, t("site.edit.flash_player_required_html"), :id => "potlatch", :data => data %>
 </div>
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@ -183,7 +183,7 @@
  <% if current_user and @user.id == current_user.id %>
    <% if @user.home_lat.nil? or @user.home_lon.nil? %>
      <div id="map" class="content_map">
-        <p id="no_home_location"><%= raw(t(".if set location", :settings_link => (link_to t(".settings_link_text"), :controller => "users", :action => "account", :display_name => current_user.display_name))) %></p>
+        <p id="no_home_location"><%= t(".if_set_location_html", :settings_link => (link_to t(".settings_link_text"), :controller => "users", :action => "account", :display_name => current_user.display_name)) %></p>
      </div>
    <% else %>
      <% content_for :head do %>