diff options
| -rw-r--r-- | config/initializers/gettext_i18n_rails.rb | 3 | ||||
| -rw-r--r-- | lib/i18n_fixes.rb | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/config/initializers/gettext_i18n_rails.rb b/config/initializers/gettext_i18n_rails.rb new file mode 100644 index 000000000..ef306682b --- /dev/null +++ b/config/initializers/gettext_i18n_rails.rb @@ -0,0 +1,3 @@ +# FIXME: Audit the translations for XSS opportunities. Ultimately it would be +# good to get rid of this and explicitly mark strings as html_safe +GettextI18nRails.translations_are_html_safe = true diff --git a/lib/i18n_fixes.rb b/lib/i18n_fixes.rb index 6e684d44a..bb339fc55 100644 --- a/lib/i18n_fixes.rb +++ b/lib/i18n_fixes.rb @@ -6,8 +6,12 @@ # so that we can interpolate our translation strings nicely def _(key, options = {}) + # HACK: We should be going via GettextI18nRails instead of FastGettext below + # so that #translations_are_html_safe is respected but calling it directly + # doesn't work for me. I'm just marking the resulting string as html_safe. + # This whole hacky file should be removed translation = FastGettext._(key) || key - gettext_interpolate(translation, options) + gettext_interpolate(translation, options).html_safe end INTERPOLATION_RESERVED_KEYS = %w(scope default) |