[openstreetmap/openstreetmap-website] Avoid using `raw` with translation strings (#2494)
Andy Allan
notifications at github.com
Sun Jan 5 11:19:47 UTC 2020
We use `raw` extensively with translation strings, mainly so that the end result can contain links. This is mostly fine, but sometimes risks a security problem, when any part of the string might have come from user input (e.g. display names) and therefore needs careful handling.
A generally safer way to do this is to use translation keys ending in 'html'. This tells rails that we want to avoid escaping the html, while at the same time allowing rails to still manage potentially unsafe text, like display names, and escaping those properly automatically.
This PR refactors most places where we have previously used `raw`. (There is still raw used in the notifications, in the terms page, and for pagination links.)
@translatewiki This PR contains many translation key renames. Is it helpful for me to list them here for you, or is that not worth doing?
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/2494
-- Commit Summary --
* Use _html suffix to avoid using raw when displaying translated strings
* Use _html suffix to avoid using raw when displaying translated strings
* Use _html suffix to avoid using raw when displaying translated strings
* Use _html suffix to avoid using raw when displaying translated strings
* Use _html suffix to avoid using raw when displaying translated strings
* Use ActionView's safe_join to avoid using raw when joining arrays of text
-- File Changes --
M app/views/browse/_containing_relation.html.erb (4)
M app/views/browse/_relation_member.html.erb (4)
M app/views/browse/_way.html.erb (2)
M app/views/browse/feature.html.erb (2)
M app/views/browse/history.html.erb (2)
M app/views/diary_entries/_diary_comment.html.erb (2)
M app/views/diary_entries/_diary_entry.html.erb (2)
M app/views/diary_entries/show.html.erb (2)
M app/views/geocoder/search.html.erb (2)
M app/views/messages/inbox.html.erb (2)
M app/views/messages/new.html.erb (2)
M app/views/messages/outbox.html.erb (4)
M app/views/oauth/authorize.html.erb (2)
M app/views/oauth/authorize_success.html.erb (2)
M app/views/oauth_clients/index.html.erb (2)
M app/views/site/_potlatch.html.erb (2)
M app/views/site/_potlatch2.html.erb (2)
M app/views/site/about.html.erb (2)
M app/views/site/copyright.html.erb (26)
M app/views/site/edit.html.erb (4)
M app/views/site/export.html.erb (2)
M app/views/traces/_trace.html.erb (2)
M app/views/traces/show.html.erb (2)
M app/views/user_blocks/blocks_by.html.erb (2)
M app/views/user_blocks/blocks_on.html.erb (2)
M app/views/user_blocks/edit.html.erb (6)
M app/views/user_blocks/new.html.erb (6)
M app/views/user_blocks/revoke.html.erb (10)
M app/views/user_blocks/show.html.erb (10)
M app/views/users/_user.html.erb (14)
M app/views/users/account.html.erb (2)
M app/views/users/blocked.html.erb (2)
M app/views/users/login.html.erb (2)
M app/views/users/new.html.erb (6)
M app/views/users/show.html.erb (2)
M app/views/users/suspended.html.erb (2)
M app/views/users/terms.html.erb (6)
M config/locales/en.yml (99)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/2494.patch
https://github.com/openstreetmap/openstreetmap-website/pull/2494.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2494
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200105/a7740deb/attachment.htm>
More information about the rails-dev
mailing list