#32 The translation helper is unsafe! - Rails I18n

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#32 ✓invalid

The translation helper is unsafe!

Reported by Domizio Demichelis | November 23rd, 2010 @ 01:33 PM

(ActionView::Helpers::TranslationHelper.translate)

If a translation key has the suffix "_html or the last element of the key is the word "html" the returned string is marked as safe_html.

That is unsafe because the interpolated variables might be unsafe an the helper is marking them as safe without escaping.

Example:

your_key_html: "<b>This is a</b> %{unsafe}  output because it is %{something} against the %{rails} policy"

When you use it in possible many place in the application you have to remember that you must manually escape all the variables all the time you use it, that's because the helper will mark the translated string as safe, regardless to what is contained (the html_safe? status) in the interpolated variables.

If you use the translation of the example in 10 places, you will have to remember to escape 30 variables, and that is not only silly but is a main source of problems. Besides it is specially bad because it works against the new rails policy, that allows you to forget about security and just have everything escaped automatically. IMHO that is a mayor breach of security.

Every helper that produce html MUST escape the (potentially unsafe) input, adding its own html (which is obviously safe) and mark its output as safe. That way the input that contains html marked as safe will not be escaped (because the h(variable) mark for escape only what is not marked as safe).

We need to keep the html suffix as a convention to mark the base translation string as safe BUT the interpolated variables MUST be escaped, AND the output must be always marked as safe. In case the base translation string is not marked as safe (not "html" suffixed) it must be escaped as well, AND the output must be marked as safe.

In conclusion the helper must always return a safe_html string, escaping the base translation string when its key is not suffixed with "html" and must escape all the interpolated variable.

If you agree with the principle, I could write a patch for that. Please, let me know. Thank you.

Comments and changes to this ticket

Sven Fuchs December 26th, 2010 @ 05:58 PM
- State changed from “new” to “invalid”
Hi ddnexus,

your approach sounds good to me. I think this lighthouse is the wrong place to report though because the translation helper is part of Rails.

Could you reopen the ticket over at Rails' lighthouse and provide a patch?

Thanks a lot! :)

https://rails.lighthouseapp.com/

Will close the ticket here.

murphy (at rubychan) November 4th, 2011 @ 12:07 PM

Hi ddnexus and Sven!

Apparently, the issue never got fixed in Rails 2.3 or later.

I couldn't find any corresponding ticket in the Rails project, so I will create a new one.

In any case, here's a simple patch for 2.3:

# abandoned ticket from 2010-11-23: http://i18n.lighthouseapp.com/projects/14948/tickets/32-the-translation-helper-is-unsafe
module ActionView::Helpers::TranslationHelper
  def translate_with_html_safe_options(keys, options = {})
    if !options.empty? && keys =~ /(\b|_|\.)html$/
      options = {}.tap do |html_safe_options|
        for name, value in options
          html_safe_options[name] = h(value)
        end
      end
    end
    
    translate_without_html_safe_options keys, options
  end
  alias t_with_html_safe_options translate_with_html_safe_options
  
  alias_method_chain :translate, :html_safe_options
  alias_method_chain :t,         :html_safe_options
end

You flagged this item as spam.
Nexplas35 May 16th, 2019 @ 08:27 AM
This HTML translation helper is not safe to use. so must be aware of it and try to avoid its much as possible. Get the uk best essays which is more useful for the all level of university students. Thank you for letting us aware about this fact that will keep my device safe and sound.
You flagged this item as spam.
Linda34 May 23rd, 2019 @ 12:33 PM
if you are looking for best guitar then check out guitar guru
You flagged this item as spam.
roger lagasca October 1st, 2019 @ 11:17 PM
I thought it was going to be some boring old post, but it really compensated for my time. I will post a link to this page on my blog. I am sure my visitors will find that very useful. facebook
You flagged this item as spam.
Will Sam October 5th, 2019 @ 02:15 PM
Thanks for raising a ticket. I have tried the same i got the same error. Looking forward to fix this soon. Menwhile try the following links to get fixed.

deals saving offers promos discounts sale
You flagged this item as spam.
Clark October 28th, 2019 @ 05:55 PM
Thank you for sharing this information. x`
You flagged this item as spam.
Jamie anderson February 28th, 2020 @ 12:42 PM
Really good and important. You've really helped many people reading the blog and supplying them with useful information.

business intelligence assignment help
business intelligence assignment help
You flagged this item as spam.
Mike Symonds February 29th, 2020 @ 09:09 AM
This article is great as well as inspiring. I'm pretty pleased with your fantastic work. You put information that's really very helpful. Keep up. Keep on blogging. Expecting to read your next post. Here we have information about it management assignment help

it management assignment help
You flagged this item as spam.
Austin Taylor March 16th, 2020 @ 08:31 AM
It was a piece of nice information shared by the author. Please share some more articles.

expository essays help online

help in mba assignment by experts
You flagged this item as spam.
ISOPro9001 May 20th, 2020 @ 11:53 AM
Really appreciate this wonderful post that you have provided for us.
I assure this would be beneficial for most of the people.
I'm going to highly recommend this web site!

ISO 9001 Certification in Saudi Arabia

« Previous 1 2 3 4 5 6 7 Next »

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.