From: Andy Allan <git@gravitystorm.co.uk>
Date: Fri, 20 Dec 2019 09:29:07 +0000 (+0100)
Subject: Use _html suffix to avoid using raw when displaying translated strings
X-Git-Tag: live~2315^2~5
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/dfedf85b6ca076c4c95f10ea3d9649d1a4de6818

Use _html suffix to avoid using raw when displaying translated strings

This is safer than raw, since any user input is still escaped.
---

diff --git a/app/views/diary_entries/_diary_comment.html.erb b/app/views/diary_entries/_diary_comment.html.erb
index 639ac9a19..3893072ad 100644
--- a/app/views/diary_entries/_diary_comment.html.erb
+++ b/app/views/diary_entries/_diary_comment.html.erb
@@ -1,6 +1,6 @@
 <div class="clearfix diary-comment<%= " deemphasize" unless diary_comment.visible? %>">
   <%= user_thumbnail diary_comment.user %>
-  <p class="deemphasize comment-heading" id="comment<%= diary_comment.id %>"><%= raw(t(".comment_from", :link_user => (link_to h(diary_comment.user.display_name), user_path(diary_comment.user)), :comment_created_at => link_to(l(diary_comment.created_at, :format => :friendly), :anchor => "comment#{diary_comment.id}"))) %>
+  <p class="deemphasize comment-heading" id="comment<%= diary_comment.id %>"><%= t(".comment_from_html", :link_user => (link_to h(diary_comment.user.display_name), user_path(diary_comment.user)), :comment_created_at => link_to(l(diary_comment.created_at, :format => :friendly), :anchor => "comment#{diary_comment.id}")) %>
     <% if current_user and diary_comment.user.id != current_user.id %>
       | <%= report_link(t(".report"), diary_comment) %>
     <% end %>
diff --git a/app/views/diary_entries/_diary_entry.html.erb b/app/views/diary_entries/_diary_entry.html.erb
index ef983ebde..5508817a8 100644
--- a/app/views/diary_entries/_diary_entry.html.erb
+++ b/app/views/diary_entries/_diary_entry.html.erb
@@ -7,7 +7,7 @@
     <h2><%= link_to h(diary_entry.title), diary_entry_path(diary_entry.user, diary_entry) %></h2>
 
     <small class='deemphasize'>
-      <%= raw(t(".posted_by", :link_user => (link_to h(diary_entry.user.display_name), user_path(diary_entry.user)), :created => l(diary_entry.created_at, :format => :blog), :language_link => (link_to h(diary_entry.language.name), :controller => "diary_entries", :action => "index", :display_name => nil, :language => diary_entry.language_code))) %>
+      <%= t(".posted_by_html", :link_user => (link_to h(diary_entry.user.display_name), user_path(diary_entry.user)), :created => l(diary_entry.created_at, :format => :blog), :language_link => (link_to diary_entry.language.name, :controller => "diary_entries", :action => "index", :display_name => nil, :language => diary_entry.language_code)) %>
     </small>
 
   </div>
diff --git a/app/views/diary_entries/show.html.erb b/app/views/diary_entries/show.html.erb
index 1cc1e1c53..d8f4cd8f5 100644
--- a/app/views/diary_entries/show.html.erb
+++ b/app/views/diary_entries/show.html.erb
@@ -29,7 +29,7 @@
       <div class="diary-subscribe-buttons"><%= link_to t("javascripts.changesets.show.subscribe"), diary_entry_subscribe_path(:display_name => @entry.user.display_name, :id => @entry.id), :method => :post, :class => :button %></div>
     <% end %>
   <% else %>
-    <h3 id="newcomment"><%= raw t(".login_to_leave_a_comment", :login_link => link_to(t(".login"), :controller => "users", :action => "login", :referer => request.fullpath)) %></h3>
+    <h3 id="newcomment"><%= t(".login_to_leave_a_comment_html", :login_link => link_to(t(".login"), :controller => "users", :action => "login", :referer => request.fullpath)) %></h3>
   <% end %>
 </div>
 
diff --git a/app/views/messages/inbox.html.erb b/app/views/messages/inbox.html.erb
index 40bb8e8a3..c3065f911 100644
--- a/app/views/messages/inbox.html.erb
+++ b/app/views/messages/inbox.html.erb
@@ -24,5 +24,5 @@
     </tbody>
   </table>
 <% else %>
-  <div><%= raw(t(".no_messages_yet", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user)))) %></div>
+  <div><%= t(".no_messages_yet_html", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user))) %></div>
 <% end %>
diff --git a/app/views/messages/new.html.erb b/app/views/messages/new.html.erb
index 2429feb52..2aac33efa 100644
--- a/app/views/messages/new.html.erb
+++ b/app/views/messages/new.html.erb
@@ -1,5 +1,5 @@
 <% content_for :heading do %>
-  <h2><%= raw(t(".send_message_to", :name => link_to(h(@message.recipient.display_name), user_path(@message.recipient)))) %></h2>
+  <h2><%= t(".send_message_to_html", :name => link_to(h(@message.recipient.display_name), user_path(@message.recipient))) %></h2>
 <% end %>
 
 <%= error_messages_for "message" %>
diff --git a/app/views/messages/outbox.html.erb b/app/views/messages/outbox.html.erb
index a06e18838..806f1207a 100644
--- a/app/views/messages/outbox.html.erb
+++ b/app/views/messages/outbox.html.erb
@@ -3,7 +3,7 @@
 <% end %>
 
 <% content_for :heading do %>
-  <h2><%= raw(t(".my_inbox", :inbox_link => link_to(t(".inbox"), inbox_messages_path))) %>/<%= t ".outbox" %></h2>
+  <h2><%= t(".my_inbox_html", :inbox_link => link_to(t(".inbox"), inbox_messages_path)) %>/<%= t ".outbox" %></h2>
 <% end %>
 
 <h4><%= t ".messages", :count => current_user.sent_messages.size %></h4>
@@ -23,5 +23,5 @@
     </tbody>
   </table>
 <% else %>
-  <div class="messages"><%= raw(t(".no_sent_messages", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user)))) %></div>
+  <div class="messages"><%= t(".no_sent_messages_html", :people_mapping_nearby_link => link_to(t(".people_mapping_nearby"), user_path(current_user))) %></div>
 <% end %>
diff --git a/app/views/site/_potlatch2.html.erb b/app/views/site/_potlatch2.html.erb
index 11519c26e..bab612491 100644
--- a/app/views/site/_potlatch2.html.erb
+++ b/app/views/site/_potlatch2.html.erb
@@ -15,5 +15,5 @@
   <% end %>
   <% data[:locale] = Locale.list(Potlatch2::LOCALES.keys).preferred(preferred_languages).to_s -%>
   <% data[:locale_path] = asset_path("potlatch2/locales/#{Potlatch2::LOCALES[data[:locale]]}.swf") -%>
-  <%= content_tag :div, raw(t("site.edit.flash_player_required")), :id => "potlatch", :data => data %>
+  <%= content_tag :div, t("site.edit.flash_player_required_html"), :id => "potlatch", :data => data %>
 </div>
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index 7e8b45185..011226109 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -183,7 +183,7 @@
   <% if current_user and @user.id == current_user.id %>
     <% if @user.home_lat.nil? or @user.home_lon.nil? %>
       <div id="map" class="content_map">
-        <p id="no_home_location"><%= raw(t(".if set location", :settings_link => (link_to t(".settings_link_text"), :controller => "users", :action => "account", :display_name => current_user.display_name))) %></p>
+        <p id="no_home_location"><%= t(".if_set_location_html", :settings_link => (link_to t(".settings_link_text"), :controller => "users", :action => "account", :display_name => current_user.display_name)) %></p>
       </div>
     <% else %>
       <% content_for :head do %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index b99e068b8..6d1ea92dd 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -373,14 +373,14 @@ en:
       title: "%{user}'s diary | %{title}"
       user_title: "%{user}'s diary"
       leave_a_comment: "Leave a comment"
-      login_to_leave_a_comment: "%{login_link} to leave a comment"
+      login_to_leave_a_comment_html: "%{login_link} to leave a comment"
       login: "Login"
     no_such_entry:
       title: "No such diary entry"
       heading: "No entry with the id: %{id}"
       body: "Sorry, there is no diary entry or comment with the id %{id}. Please check your spelling, or maybe the link you clicked is wrong."
     diary_entry:
-      posted_by: "Posted by %{link_user} on %{created} in %{language_link}"
+      posted_by_html: "Posted by %{link_user} on %{created} in %{language_link}"
       comment_link: Comment on this entry
       reply_link: Reply to this entry
       comment_count:
@@ -393,7 +393,7 @@ en:
       confirm: Confirm
       report: Report this entry
     diary_comment:
-      comment_from: "Comment from %{link_user} on %{comment_created_at}"
+      comment_from_html: "Comment from %{link_user} on %{comment_created_at}"
       hide_link: Hide this comment
       unhide_link: Unhide this comment
       confirm: Confirm
@@ -1273,7 +1273,7 @@ en:
       from: "From"
       subject: "Subject"
       date: "Date"
-      no_messages_yet: "You have no messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?"
+      no_messages_yet_html: "You have no messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?"
       people_mapping_nearby: "people mapping nearby"
     message_summary:
       unread_button: "Mark as unread"
@@ -1282,7 +1282,7 @@ en:
       destroy_button: "Delete"
     new:
       title: "Send message"
-      send_message_to: "Send a new message to %{name}"
+      send_message_to_html: "Send a new message to %{name}"
       subject: "Subject"
       body: "Body"
       back_to_inbox: "Back to inbox"
@@ -1295,7 +1295,7 @@ en:
       body: "Sorry there is no message with that id."
     outbox:
       title: "Outbox"
-      my_inbox: "My %{inbox_link}"
+      my_inbox_html: "My %{inbox_link}"
       inbox: "inbox"
       outbox: "outbox"
       messages:
@@ -1304,7 +1304,7 @@ en:
       to: "To"
       subject: "Subject"
       date: "Date"
-      no_sent_messages: "You have no sent messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?"
+      no_sent_messages_html: "You have no sent messages yet. Why not get in touch with some of the %{people_mapping_nearby_link}?"
       people_mapping_nearby: "people mapping nearby"
     reply:
       wrong_user: "You are logged in as `%{user}' but the message you have asked to reply to was not sent to that user. Please login as the correct user in order to reply."
@@ -1526,7 +1526,7 @@ en:
       anon_edits: "(%{link})"
       anon_edits_link: "https://wiki.openstreetmap.org/wiki/Disabling_anonymous_edits"
       anon_edits_link_text: "Find out why this is the case."
-      flash_player_required: 'You need a Flash player to use Potlatch, the OpenStreetMap Flash editor. You can <a href="https://get.adobe.com/flashplayer/">download Flash Player from Adobe.com</a>. <a href="https://wiki.openstreetmap.org/wiki/Editing">Several other options</a> are also available for editing OpenStreetMap.'
+      flash_player_required_html: 'You need a Flash player to use Potlatch, the OpenStreetMap Flash editor. You can <a href="https://get.adobe.com/flashplayer/">download Flash Player from Adobe.com</a>. <a href="https://wiki.openstreetmap.org/wiki/Editing">Several other options</a> are also available for editing OpenStreetMap.'
       potlatch_unsaved_changes: "You have unsaved changes. (To save in Potlatch, you should deselect the current way or point, if editing in live mode, or click save if you have a save button.)"
       potlatch2_not_configured: "Potlatch 2 has not been configured - please see https://wiki.openstreetmap.org/wiki/The_Rails_Port#Potlatch_2 for more information"
       potlatch2_unsaved_changes: "You have unsaved changes. (To save in Potlatch 2, you should click save.)"
@@ -2142,7 +2142,7 @@ en:
       spam score: "Spam Score:"
       description: Description
       user location: User location
-      if set location: "Set your home location on the %{settings_link} page to see nearby users."
+      if_set_location_html: "Set your home location on the %{settings_link} page to see nearby users."
       settings_link_text: settings
       my friends: My friends
       no friends: You have not added any friends yet.