From c4abe8eb2826d39f98e898f48659df336438f802 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 22 Jul 2020 20:57:16 +0100
Subject: [PATCH] Fix the CrossSiteScripting warnings from Brakeman

---
 app/views/users/_terms.html.erb | 36 ++++++++++++++++-----------------
 config/brakeman.yml             |  1 -
 lib/osm.rb                      |  2 +-
 3 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/app/views/users/_terms.html.erb b/app/views/users/_terms.html.erb
index f01b3bfb7..6a70a88f1 100644
--- a/app/views/users/_terms.html.erb
+++ b/app/views/users/_terms.html.erb
@@ -1,45 +1,45 @@
 <p id="first">
-  <%= raw @text["intro"] %>
-  <%= raw @text["next_with_decline"] %>
+  <%= @text["intro"] %>
+  <%= @text["next_with_decline"] %>
 </p>
-<h3><%= raw @text["introduction"] %></h3>
+<h3><%= @text["introduction"] %></h3>
 <ol>
   <li>
-    <p><%= raw @text["section_1"] %></p>
+    <p><%= @text["section_1"] %></p>
     <% unless @text['section_1a'].nil? %>
     <ol>
-      <li><%= raw @text["section_1a"] %></li>
-      <li><%= raw @text["section_1b"] %></li>
+      <li><%= @text["section_1a"] %></li>
+      <li><%= @text["section_1b"] %></li>
     </ol>
     <% end %>
   </li>
 </ol>
-<h3><%= raw @text["rights_granted"] %></h3>
+<h3><%= @text["rights_granted"] %></h3>
 <ol start="2">
   <li>
-    <p><%= raw @text["section_2"] %></p>
+    <p><%= @text["section_2"] %></p>
   </li>
   <li>
-    <p><%= raw @text["section_3"] %></p>
-    <p><%= raw @text["active_defn_1"] %></p>
-    <p><%= raw @text["active_defn_2"] %></p>
+    <p><%= @text["section_3"] %></p>
+    <p><%= @text["active_defn_1"] %></p>
+    <p><%= @text["active_defn_2"] %></p>
     </ul>
   </li>
   <li>
-    <p><%= raw @text["section_4"] %></p>
+    <p><%= @text["section_4"] %></p>
   </li>
   <li>
-    <p><%= raw @text["section_5"] %></p>
+    <p><%= @text["section_5"] %></p>
   </li>
 </ol>
-<h3><%= raw @text["limitation_of_liability"] %></h3>
+<h3><%= @text["limitation_of_liability"] %></h3>
 <ol start="6">
-  <li><p><%= raw @text["section_6"] %></p></li>
-  <li><p><%= raw @text["section_7"] %></p></li>
+  <li><p><%= @text["section_6"] %></p></li>
+  <li><p><%= @text["section_7"] %></p></li>
 </ol>
-<h3><%= raw @text["miscellaneous"] %></h3>
+<h3><%= @text["miscellaneous"] %></h3>
 <ol start="8">
   <li>
-    <p id="last"><%= raw @text["section_8"] %></p>
+    <p id="last"><%= @text["section_8"] %></p>
   </li>
 </ol>
diff --git a/config/brakeman.yml b/config/brakeman.yml
index f8fab871e..3551b75e4 100644
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -1,6 +1,5 @@
 :skip_checks:
 # These checks are skipped, but should be considered TODO
-- CheckCrossSiteScripting
 - CheckExecute
 - CheckFileAccess
 - CheckRedirect
diff --git a/lib/osm.rb b/lib/osm.rb
index 3e4b5dcee..1d3700cd9 100644
--- a/lib/osm.rb
+++ b/lib/osm.rb
@@ -560,7 +560,7 @@ module OSM
   def self.legal_text_for_country(country_code)
     file_name = Rails.root.join("config", "legales", country_code.to_s + ".yml")
     file_name = Rails.root.join("config", "legales", Settings.default_legale + ".yml") unless File.exist? file_name
-    YAML.load_file(file_name)
+    YAML.load_file(file_name).transform_values!(&:html_safe)
   end
 
   # Return the HTTP client to use
-- 
2.43.2