diff options
| author | Henare Degan <henare.degan@gmail.com> | 2012-12-10 15:50:50 +1100 |
|---|---|---|
| committer | Henare Degan <henare.degan@gmail.com> | 2012-12-11 11:09:39 +1100 |
| commit | 9d0295f1ebb1b8019c59ee48f86668a0e55b39ec (patch) | |
| tree | fd1fd4085c1a555f8b826291bad0a9833146ebd4 | |
| parent | b2f28a42f65c473bbf50bb98c2492518e87c10c4 (diff) | |
Mark translations as html_safe
| -rw-r--r-- | config/initializers/gettext_i18n_rails.rb | 3 | ||||
| -rw-r--r-- | lib/i18n_fixes.rb | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/config/initializers/gettext_i18n_rails.rb b/config/initializers/gettext_i18n_rails.rb new file mode 100644 index 000000000..ef306682b --- /dev/null +++ b/config/initializers/gettext_i18n_rails.rb @@ -0,0 +1,3 @@ +# FIXME: Audit the translations for XSS opportunities. Ultimately it would be +# good to get rid of this and explicitly mark strings as html_safe +GettextI18nRails.translations_are_html_safe = true diff --git a/lib/i18n_fixes.rb b/lib/i18n_fixes.rb index 6e684d44a..bb339fc55 100644 --- a/lib/i18n_fixes.rb +++ b/lib/i18n_fixes.rb @@ -6,8 +6,12 @@ # so that we can interpolate our translation strings nicely def _(key, options = {}) + # HACK: We should be going via GettextI18nRails instead of FastGettext below + # so that #translations_are_html_safe is respected but calling it directly + # doesn't work for me. I'm just marking the resulting string as html_safe. + # This whole hacky file should be removed translation = FastGettext._(key) || key - gettext_interpolate(translation, options) + gettext_interpolate(translation, options).html_safe end INTERPOLATION_RESERVED_KEYS = %w(scope default) |