FIX: Mark invites flash messages as HTML safe. (#15539)

* FIX: Mark invites flash messages as HTML safe. This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client. Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220 * If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend. * Escape user input instead of sanitizing
2025-05-30 15:28:37 +08:00 · 2022-01-18 09:38:31 -03:00
parent 7329b766cb
commit 5ee31cbf7d
6 changed files with 44 additions and 23 deletions
--- a/lib/validators/email_validator.rb
+++ b/lib/validators/email_validator.rb
@ -5,7 +5,7 @@ class EmailValidator < ActiveModel::EachValidator
  def validate_each(record, attribute, value)
    unless value =~ EmailValidator.email_regex
      if Invite === record && attribute == :email
-        record.errors.add(:base, I18n.t(:'invite.invalid_email', email: value))
+        record.errors.add(:base, I18n.t(:'invite.invalid_email', email: CGI.escapeHTML(value)))
      else
        record.errors.add(attribute, I18n.t(:'user.email.invalid'))
      end