actionview/test/template/translation_helper_test.rb · v6.0.4.1 · Rails relative code / rails-deleted-2

Sep 09, 2020

Merge pull request from GHSA-cfjv-5498-mph5 · 732ea162

George Claghorn authored Sep 09, 2020



Prior to this commit, when a translation key indicated that the
translation text was HTML, the value returned by `I18n.translate` would
always be marked as `html_safe`.  However, the value returned by
`I18n.translate` could be an untrusted value directly from
`options[:default]`.

This commit ensures values directly from `options[:default]` are not
marked as `html_safe`.

Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>

732ea162

Merge pull request from GHSA-cfjv-5498-mph5

George Claghorn authored Sep 09, 2020



Prior to this commit, when a translation key indicated that the
translation text was HTML, the value returned by `I18n.translate` would
always be marked as `html_safe`.  However, the value returned by
`I18n.translate` could be an untrusted value directly from
`options[:default]`.

This commit ensures values directly from `options[:default]` are not
marked as `html_safe`.

Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>