Fix the CrossSiteScripting warnings from Brakeman

diff --git a/app/views/users/_terms.html.erb b/app/views/users/_terms.html.erb
index f01b3bfb74e0ca2aac55cbe6dd1b2fe1a42fbc19..6a70a88f19fe9113370f7e764376b5fa70d5eb47 100644 (file)
--- a/app/views/users/_terms.html.erb
+++ b/app/views/users/_terms.html.erb
@@ -1,45 +1,45 @@
 <p id="first">
-  <%= raw @text["intro"] %>
-  <%= raw @text["next_with_decline"] %>
+  <%= @text["intro"] %>
+  <%= @text["next_with_decline"] %>
 </p>
-<h3><%= raw @text["introduction"] %></h3>
+<h3><%= @text["introduction"] %></h3>
 <ol>
   <li>
-    <p><%= raw @text["section_1"] %></p>
+    <p><%= @text["section_1"] %></p>
     <% unless @text['section_1a'].nil? %>
     <ol>
-      <li><%= raw @text["section_1a"] %></li>
-      <li><%= raw @text["section_1b"] %></li>
+      <li><%= @text["section_1a"] %></li>
+      <li><%= @text["section_1b"] %></li>
     </ol>
     <% end %>
   </li>
 </ol>
-<h3><%= raw @text["rights_granted"] %></h3>
+<h3><%= @text["rights_granted"] %></h3>
 <ol start="2">
   <li>
-    <p><%= raw @text["section_2"] %></p>
+    <p><%= @text["section_2"] %></p>
   </li>
   <li>
-    <p><%= raw @text["section_3"] %></p>
-    <p><%= raw @text["active_defn_1"] %></p>
-    <p><%= raw @text["active_defn_2"] %></p>
+    <p><%= @text["section_3"] %></p>
+    <p><%= @text["active_defn_1"] %></p>
+    <p><%= @text["active_defn_2"] %></p>
     </ul>
   </li>
   <li>
-    <p><%= raw @text["section_4"] %></p>
+    <p><%= @text["section_4"] %></p>
   </li>
   <li>
-    <p><%= raw @text["section_5"] %></p>
+    <p><%= @text["section_5"] %></p>
   </li>
 </ol>
-<h3><%= raw @text["limitation_of_liability"] %></h3>
+<h3><%= @text["limitation_of_liability"] %></h3>
 <ol start="6">
-  <li><p><%= raw @text["section_6"] %></p></li>
-  <li><p><%= raw @text["section_7"] %></p></li>
+  <li><p><%= @text["section_6"] %></p></li>
+  <li><p><%= @text["section_7"] %></p></li>
 </ol>
-<h3><%= raw @text["miscellaneous"] %></h3>
+<h3><%= @text["miscellaneous"] %></h3>
 <ol start="8">
   <li>
-    <p id="last"><%= raw @text["section_8"] %></p>
+    <p id="last"><%= @text["section_8"] %></p>
   </li>
 </ol>

diff --git a/config/brakeman.yml b/config/brakeman.yml
index f8fab871eb786c14f85600fa34055b58c0fb04ba..3551b75e41ce0b626c79e8150b2694fabc5c2ba1 100644 (file)
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -1,6 +1,5 @@
 :skip_checks:
 # These checks are skipped, but should be considered TODO
-- CheckCrossSiteScripting
 - CheckExecute
 - CheckFileAccess
 - CheckRedirect

diff --git a/lib/osm.rb b/lib/osm.rb
index 3e4b5dcee4b005d8b4db2bc2b7e81bf8bf9eeedc..1d3700cd925edb69aefeadfef236049926a9565a 100644 (file)
--- a/lib/osm.rb
+++ b/lib/osm.rb
@@ -560,7 +560,7 @@ module OSM
   def self.legal_text_for_country(country_code)
     file_name = Rails.root.join("config", "legales", country_code.to_s + ".yml")
     file_name = Rails.root.join("config", "legales", Settings.default_legale + ".yml") unless File.exist? file_name
-    YAML.load_file(file_name)
+    YAML.load_file(file_name).transform_values!(&:html_safe)
   end
 
   # Return the HTTP client to use