From: Andy Allan <git@gravitystorm.co.uk>
Date: Fri, 20 Dec 2019 13:32:00 +0000 (+0100)
Subject: Use _html suffix to avoid using raw when displaying translated strings
X-Git-Tag: live~2318^2~4
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/217f61663048cb3040663d607364ab10937dbe9a

Use _html suffix to avoid using raw when displaying translated strings

This is safer than raw, since any user input is still escaped.
---

diff --git a/app/views/site/about.html.erb b/app/views/site/about.html.erb
index 886aaf006..3f310be5b 100644
--- a/app/views/site/about.html.erb
+++ b/app/views/site/about.html.erb
@@ -5,7 +5,7 @@
 
   <div class='user-image'></div>
 
-  <h1><%= raw t ".used_by", :name => "<span class='user-name'>OpenStreetMap</span>" %></h1>
+  <h1><%= t ".used_by_html", :name => content_tag(:span, "OpenStreetMap", :class => "user-name") %></h1>
 </div>
 
 <div class='text'>
diff --git a/app/views/user_blocks/blocks_by.html.erb b/app/views/user_blocks/blocks_by.html.erb
index 284052a7b..6b4e60daa 100644
--- a/app/views/user_blocks/blocks_by.html.erb
+++ b/app/views/user_blocks/blocks_by.html.erb
@@ -1,6 +1,6 @@
 <% @title = t(".title", :name => h(@user.display_name)) %>
 <% content_for :heading do %>
-  <h1><%= raw(t(".heading", :name => link_to(h(@user.display_name), user_path(@user)))) %></h1>
+  <h1><%= t(".heading_html", :name => link_to(@user.display_name, user_path(@user))) %></h1>
 <% end %>
 
 <% unless @user_blocks.empty? %>
diff --git a/app/views/user_blocks/blocks_on.html.erb b/app/views/user_blocks/blocks_on.html.erb
index bb71d48c8..cfdc9abf1 100644
--- a/app/views/user_blocks/blocks_on.html.erb
+++ b/app/views/user_blocks/blocks_on.html.erb
@@ -1,6 +1,6 @@
 <% @title = t(".title", :name => h(@user.display_name)) %>
 <% content_for :heading do %>
-  <h1><%= raw(t(".heading", :name => link_to(h(@user.display_name), user_path(@user)))) %></h1>
+  <h1><%= t(".heading_html", :name => link_to(@user.display_name, user_path(@user))) %></h1>
 <% end %>
 <% unless @user_blocks.empty? %>
 <%= render :partial => "blocks", :locals => { :show_revoke_link => can?(:revoke, UserBlock), :show_user_name => false, :show_creator_name => true } %>
diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb
index 88d7e4f23..69ab5f9f3 100644
--- a/app/views/user_blocks/edit.html.erb
+++ b/app/views/user_blocks/edit.html.erb
@@ -1,8 +1,8 @@
 <% @title = t ".title", :name => h(@user_block.user.display_name) %>
 <% content_for :heading do %>
-  <h1><%= raw t(".title",
-                :name => link_to(h(@user_block.user.display_name),
-                                 user_path(@user_block.user))) %></h1>
+  <h1><%= t(".heading_html",
+            :name => link_to(@user_block.user.display_name,
+                             user_path(@user_block.user))) %></h1>
   <ul class='secondary-actions clearfix'>
     <li><%= link_to t(".show"), @user_block %></li>
     <li><%= link_to t(".back"), user_blocks_path %></li>
diff --git a/app/views/user_blocks/new.html.erb b/app/views/user_blocks/new.html.erb
index bd492a354..18b03eda9 100644
--- a/app/views/user_blocks/new.html.erb
+++ b/app/views/user_blocks/new.html.erb
@@ -1,8 +1,8 @@
 <% @title = t ".title", :name => h(@user.display_name) %>
 <% content_for :heading do %>
-  <h1><%= raw t(".heading",
-                :name => link_to(h(@user.display_name),
-                                 user_path(@user))) %></h1>
+  <h1><%= t(".heading_html",
+            :name => link_to(@user.display_name,
+                             user_path(@user))) %></h1>
 <% end %>
 <%= form_for(@user_block) do |f| %>
   <%= f.error_messages %>
diff --git a/app/views/user_blocks/revoke.html.erb b/app/views/user_blocks/revoke.html.erb
index 9bd7df5ae..df48747dd 100644
--- a/app/views/user_blocks/revoke.html.erb
+++ b/app/views/user_blocks/revoke.html.erb
@@ -3,11 +3,11 @@
               :block_by => h(@user_block.creator.display_name)) %>
 
 <% content_for :heading do %>
-  <h1><%= raw t(".heading",
-                :block_on => link_to(h(@user_block.user.display_name),
-                                     user_path(@user_block.user)),
-                :block_by => link_to(h(@user_block.creator.display_name),
-                                     user_path(@user_block.creator))) %></h1>
+  <h1><%= t(".heading_html",
+            :block_on => link_to(@user_block.user.display_name,
+                                 user_path(@user_block.user)),
+            :block_by => link_to(@user_block.creator.display_name,
+                                 user_path(@user_block.creator))) %></h1>
 <% end %>
 
 <% if @user_block.ends_at > Time.now %>
diff --git a/app/views/user_blocks/show.html.erb b/app/views/user_blocks/show.html.erb
index 7e225bf14..6bfb412ef 100644
--- a/app/views/user_blocks/show.html.erb
+++ b/app/views/user_blocks/show.html.erb
@@ -3,11 +3,11 @@
               :block_by => @user_block.creator.display_name) %>
 
 <% content_for :heading do %>
-  <h1><%= raw t(".heading",
-                :block_on => link_to(h(@user_block.user.display_name),
-                                     user_path(@user_block.user)),
-                :block_by => link_to(h(@user_block.creator.display_name),
-                                     user_path(@user_block.creator))) %></h1>
+  <h1><%= t(".heading_html",
+            :block_on => link_to(@user_block.user.display_name,
+                                 user_path(@user_block.user)),
+            :block_by => link_to(@user_block.creator.display_name,
+                                 user_path(@user_block.creator))) %></h1>
 <ul class='secondary-actions clearfix'>
   <% if @user_block.ends_at > Time.now.getutc %>
     <% if current_user and current_user.id == @user_block.creator_id %>
diff --git a/app/views/users/login.html.erb b/app/views/users/login.html.erb
index 9bfa23cbc..b10a2b291 100644
--- a/app/views/users/login.html.erb
+++ b/app/views/users/login.html.erb
@@ -74,7 +74,7 @@
         </ul>
 
         <div id='login_openid_url' class='form-row'>
-          <label for='openid_url' class="standard-label"><%= raw t ".openid", :logo => openid_logo %></label>
+          <label for='openid_url' class="standard-label"><%= t ".openid_html", :logo => openid_logo %></label>
           <%= hidden_field_tag("openid_referer", params[:referer]) if params[:referer] %>
           <%= text_field_tag("openid_url", "", :tabindex => 3, :class => "openid_url") %>
           <span class="minorNote">(<a href="<%= t "users.account.openid.link" %>" target="_new"><%= t "users.account.openid.link text" %></a>)</span>
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
index 0cb70d2d5..fc62f0708 100644
--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@@ -26,7 +26,7 @@
       <%= f.email_field(:email_confirmation, :tabindex => 2) %>
       <%= f.error_message_on(:email_confirmation) %>
     </div>
-    <span class="form-help deemphasize"><%= raw(t(".not displayed publicly")) %></span>
+    <span class="form-help deemphasize"><%= t(".not_displayed_publicly_html") %></span>
   </fieldset>
 
   <fieldset>
@@ -43,7 +43,7 @@
   <fieldset class="form-divider" id="auth_field">
     <div class="form-row">
       <label for="openid_url" class="standard-label">
-        <%= raw t ".external auth" %>
+        <%= t ".external auth" %>
       </label>
       <%= f.select(:auth_provider, Auth::PROVIDERS, :default => "", :tabindex => 4) %>
       <%= f.text_field(:auth_uid, :tabindex => 5) %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 6d1ea92dd..fbd31e4b0 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1330,7 +1330,7 @@ en:
     about:
       next: Next
       copyright_html: <span>&copy;</span>OpenStreetMap<br>contributors
-      used_by: "%{name} powers map data on thousands of web sites, mobile apps, and hardware devices"
+      used_by_html: "%{name} powers map data on thousands of web sites, mobile apps, and hardware devices"
       lede_text: |
         OpenStreetMap is built by a community of mappers that contribute and maintain data
         about roads, trails, cafés, railway stations, and much more, all over the world.
@@ -1996,7 +1996,7 @@ en:
       heading: "Login"
       email or username: "Email Address or Username:"
       password: "Password:"
-      openid: "%{logo} OpenID:"
+      openid_html: "%{logo} OpenID:"
       remember: "Remember me"
       lost password link: "Lost your password?"
       login_button: "Login"
@@ -2072,7 +2072,7 @@ en:
       license_agreement: 'When you confirm your account you will need to agree to the <a href="https://www.osmfoundation.org/wiki/License/Contributor_Terms">contributor terms</a>.'
       email address: "Email Address:"
       confirm email address: "Confirm Email Address:"
-      not displayed publicly: 'Your address is not displayed publicly, see our <a href="https://wiki.osmfoundation.org/wiki/Privacy_Policy" title="OSMF privacy policy including section on email addresses">privacy policy</a> for more information'
+      not_displayed_publicly_html: 'Your address is not displayed publicly, see our <a href="https://wiki.osmfoundation.org/wiki/Privacy_Policy" title="OSMF privacy policy including section on email addresses">privacy policy</a> for more information'
       display name: "Display Name:"
       display name description: "Your publicly displayed username. You can change this later in the preferences."
       external auth: "Third Party Authentication:"
@@ -2335,7 +2335,7 @@ en:
       back: "Back to index"
     new:
       title: "Creating block on %{name}"
-      heading: "Creating block on %{name}"
+      heading_html: "Creating block on %{name}"
       reason: "The reason why %{name} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation, remembering that the message will be publicly visible. Bear in mind that not all users understand the community jargon, so please try to use laymans terms."
       period: "How long, starting now, the user will be blocked from the API for."
       tried_contacting: "I have contacted the user and asked them to stop."
@@ -2344,7 +2344,7 @@ en:
       back: "View all blocks"
     edit:
       title: "Editing block on %{name}"
-      heading: "Editing block on %{name}"
+      heading_html: "Editing block on %{name}"
       reason: "The reason why %{name} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation. Bear in mind that not all users understand the community jargon, so please try to use laymans terms."
       period: "How long, starting now, the user will be blocked from the API for."
       show: "View this block"
@@ -2366,7 +2366,7 @@ en:
       empty: "No blocks have been made yet."
     revoke:
       title: "Revoking block on %{block_on}"
-      heading: "Revoking block on %{block_on} by %{block_by}"
+      heading_html: "Revoking block on %{block_on} by %{block_by}"
       time_future: "This block will end in %{time}."
       past: "This block ended %{time} and cannot be revoked now."
       confirm: "Are you sure you wish to revoke this block?"
@@ -2395,15 +2395,15 @@ en:
           other: "%{count} years"
     blocks_on:
       title: "Blocks on %{name}"
-      heading: "List of blocks on %{name}"
+      heading_html: "List of blocks on %{name}"
       empty: "%{name} has not been blocked yet."
     blocks_by:
       title: "Blocks by %{name}"
-      heading: "List of blocks by %{name}"
+      heading_html: "List of blocks by %{name}"
       empty: "%{name} has not made any blocks yet."
     show:
       title: "%{block_on} blocked by %{block_by}"
-      heading: "%{block_on} blocked by %{block_by}"
+      heading_html: "%{block_on} blocked by %{block_by}"
       created: "Created"
       status: "Status"
       show: "Show"