fixed a security breach of ActionView::Helpers::TranslationHelper.tra…

…nslate [#856] - see http://i18n.lighthouseapp.com/projects/14948-rails-i18n/tickets/32-the-translation-helper-is-unsafe - improved output: now it escapes the variables and the output is html_safe
tslocke · Nov 23, 2010 · cb5297a · cb5297a
1 parent 3118d91
commit cb5297a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/hobo/lib/hobo/extensions/action_view/translation_helper.rb b/hobo/lib/hobo/extensions/action_view/translation_helper.rb
@@ -1,12 +1,15 @@
 ActionView::Helpers::TranslationHelper.module_eval do
 
-  # we need to remove the <span> tag because it will mess up
-  # the dryml tags when ht is used in some place
-  # we redefine the method since we cannot catch the rescued exception
-  # although the only difference is the rescue block
+  # Improved security escaping interpolated variables
+  # Improved management: when it returns a string it is always html_safe
+  # It assumes the base translation string is html_safe
+  # It removes the <span> tag when the key is missing, because it would mess up
+  # the dryml tags when ht or t is used in some place
+
   def translate(key, options = {})
+    options.each_pair { |k,v| options[k] = h(v) }
     translation = I18n.translate(scope_key_by_partial(key), options.merge!(:raise => true))
-    if html_safe_translation_key?(key) && translation.respond_to?(:html_safe)
+    if translation.respond_to?(:html_safe)
       translation.html_safe
     else
       translation

diff --git a/hobo/lib/hobo/rapid/taglibs/rapid_navigation.dryml b/hobo/lib/hobo/rapid/taglibs/rapid_navigation.dryml
@@ -89,7 +89,7 @@ This is a simple tag - just look at the source if you need to know more detail.
     <ul class="navigation account-nav" param>
       <li if="&Rails.env.development?" param="dev-user-changer"><dev-user-changer/></li>
       <if test="&logged_in?">
-        <li class='nav-item' param="logged-in-as"><a to="&current_user"><t key="hobo.actions.logged_in_as_html" name="&name">Logged in as <name/></t></a></li>
+        <li class='nav-item' param="logged-in-as"><a to="&current_user"><t key="hobo.actions.logged_in_as" name="&name">Logged in as <name/></t></a></li>
         <li class='nav-item' param="account"><a action="account"><t key="hobo.actions.account">Account</t></a></li>
         <li class='nav-item' param="log-out"><a href="&logout_url"><t key="hobo.actions.logout">Log out</t></a></li>
       </if>