Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rails/OutputSafety for i18n HTML strings #501

Closed
schmijos opened this issue May 31, 2021 · 0 comments · Fixed by #976
Closed

Rails/OutputSafety for i18n HTML strings #501

schmijos opened this issue May 31, 2021 · 0 comments · Fixed by #976
Labels
bug Something isn't working

Comments

@schmijos
Copy link

I've got a helper method:

def link_to_terms_of_service
  I18n.t('booking.general.terms_of_service_html',
         terms: link_to(t('activerecord.attributes.time_slot_booking.accepted_terms'),
                        terms_of_service_path,
                        target: '_blank', rel: 'noopener')).html_safe
end

It's being used to generate HTML looking like this:
image

Expected

I would expect that this works flawlessly, because Rails uses the convention to treat i18n keys ending with _html as safe.

Actual

But actually Rubocop complains:

app/helpers/user_helper.rb:26:63: C: Rails/OutputSafety: Tagging a string as html safe may be a security risk.
                          target: '_blank', rel: 'noopener')).html_safe
                                                              ^^^^^^^^^

Workaround

In the past we used sanitize to work around this problem, but that's not the right measure in my eyes. All generated HTML code in this example is framework-owned. Why should I not be able to mark it as safe?

RuboCop version

$ [bundle exec] rubocop -V
1.15.0 (using Parser 3.0.1.1, rubocop-ast 1.7.0, running on ruby 2.7.1 x86_64-darwin17)
  - rubocop-performance 1.11.3
  - rubocop-rails 2.10.1
  - rubocop-rspec 2.3.0
@koic koic added the bug Something isn't working label Apr 4, 2023
koic added a commit to koic/rubocop-rails that referenced this issue Apr 4, 2023
@koic
[Fix rubocop#501] Fix a false positive for Rails/OutputSafety
33fb032 
Fixes rubocop#501.

This PR fixes a false positive for `Rails/OutputSafety`
when using `html_safe` for `I18n` methods.
koic added a commit to koic/rubocop-rails that referenced this issue Apr 4, 2023
@koic
[Fix rubocop#501] Fix a false positive for Rails/OutputSafety
97329f6 
Fixes rubocop#501.

This PR fixes a false positive for `Rails/OutputSafety`
when using `html_safe` for `I18n` methods.
@koic koic mentioned this issue Apr 4, 2023
Merged
9 tasks
@koic koic closed this as completed in #976 Apr 6, 2023
koic added a commit that referenced this issue Apr 6, 2023
@koic
Merge pull request #976 from koic/fix_a_false_positive_for_rails_outp…
a955422 
…ut_safety

[Fix #501] Fix a false positive for `Rails/OutputSafety`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fix #501] Fix a false positive for Rails/OutputSafety koic/rubocop-rails
2 participants
@koic @schmijos