#32 ✓invalid
Domizio Demichelis

The translation helper is unsafe!

Reported by Domizio Demichelis | November 23rd, 2010 @ 01:33 PM


If a translation key has the suffix "_html or the last element of the key is the word "html" the returned string is marked as safe_html.

That is unsafe because the interpolated variables might be unsafe an the helper is marking them as safe without escaping.


your_key_html: "<b>This is a</b> %{unsafe}  output because it is %{something} against the %{rails} policy"

When you use it in possible many place in the application you have to remember that you must manually escape all the variables all the time you use it, that's because the helper will mark the translated string as safe, regardless to what is contained (the html_safe? status) in the interpolated variables.

If you use the translation of the example in 10 places, you will have to remember to escape 30 variables, and that is not only silly but is a main source of problems. Besides it is specially bad because it works against the new rails policy, that allows you to forget about security and just have everything escaped automatically. IMHO that is a mayor breach of security.

Every helper that produce html MUST escape the (potentially unsafe) input, adding its own html (which is obviously safe) and mark its output as safe. That way the input that contains html marked as safe will not be escaped (because the h(variable) mark for escape only what is not marked as safe).

We need to keep the html suffix as a convention to mark the base translation string as safe BUT the interpolated variables MUST be escaped, AND the output must be always marked as safe. In case the base translation string is not marked as safe (not "html" suffixed) it must be escaped as well, AND the output must be marked as safe.

In conclusion the helper must always return a safe_html string, escaping the base translation string when its key is not suffixed with "html" and must escape all the interpolated variable.

If you agree with the principle, I could write a patch for that. Please, let me know. Thank you.

Comments and changes to this ticket

  • duawazifa

    duawazifa February 9th, 2024 @ 11:32 AM

    In this blog post, we will explore the power of dua for the deceased, its importance, and how we can use it to find comfort during difficult times.

  • Arjun Mohan

    Arjun Mohan April 17th, 2024 @ 02:44 PM

    • no changes were found...
  • William Patel
  • William Patel

    William Patel May 31st, 2024 @ 01:09 PM

    Hi all, I am William Patel working as Software Tester in a leading IT company named TrijaTech Software . It is a top notch software development company that designs tools related to data/cloud migration, file recovery ,etc. It offers wide range of automated tools along with 24*7 customer tech support. The products are designed by advanced algorithms which helps in safe and secure data handling. Any common user can opt for these utilities and complete the task effortlessly.

  • onlineassignmente
  • hsolritik
  • hsolritik
  • hsolritik

    hsolritik June 17th, 2024 @ 11:32 AM

    Hello, I'm Ritik from the technical team, here to assist you with any issues related to email not receiving. If you're facing problems with your email not arriving in your inbox, our website offers a range of solutions to help you resolve these issues quickly and efficiently. We understand the importance of reliable email communication and aim to provide you with the tools and knowledge to troubleshoot and fix these problems.

    Whether you're a seasoned email user or new to managing email accounts, our website is designed to provide clear and practical advice to help you ensure your emails are received without interruption. Explore our resources for expert tips on diagnosing and solving common issues that prevent emails from reaching your inbox, including server settings, spam filters, and more.

    For those with a keen interest in technical solutions, I encourage you to read my latest blog post, where I delve into the various aspects of resolving email not receiving issues. In this post, I share valuable insights, step-by-step instructions, and recommendations based on our team's extensive experience. Stay informed and empowered as you learn how to address and prevent email delivery problems effectively.

    Visit our website today to find comprehensive solutions to email not receiving issues and enhance your email experience.

  • hsolritik

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Repository for collecting Locale data for Ruby on Rails I18n as well as other interesting, Rails related I18n stuff

People watching this ticket