#3794 Translations with interpolated strings (not html_safe) - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#3794 ✓stale

Translations with interpolated strings (not html_safe)

Reported by Marcel Jackwerth | January 27th, 2010 @ 10:06 AM

In #3401 (and commit http://github.com/rails/rails/commit/2675e4ef83b2a0fb38f01140d65fbd... ) the translate helper is assumed to return a html_safe string. But now the following code will result in a XSS vulnerability:

<%= t(:greeting, :name => @user.name) %>

Rohit Arondekar October 8th, 2010 @ 02:31 AM
- State changed from “new” to “stale”
- Importance changed from “” to “Low”
Marking ticket as stale. If this is still an issue please leave a comment with suggested changes, creating a patch with tests, rebasing an existing patch or just confirming the issue on a latest release or master/branches.

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>