From 876840e9efceb4cde0af92e2a0f5d7afe906b5e9 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 19 Mar 2021 23:48:59 +0100 Subject: Fix brakeman warning (#15870) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As far as I understand, the brakeman warning was a false-positive as `content_tag` properly escapes untrusted HTML. Furthermore, the interpolated string values are built from the “username” part of accounts, which is restricted to a small subset of ASCII that precludes any XML entity or HTML code. This proposed change should be functionally equivalent to the current code, however it is slightly more robust, it's more idiomatic, and Brakeman will stop complaining about it. --- app/views/admin/action_logs/_action_log.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/views/admin/action_logs/_action_log.html.haml') diff --git a/app/views/admin/action_logs/_action_log.html.haml b/app/views/admin/action_logs/_action_log.html.haml index 59905f341..a2fce2d11 100644 --- a/app/views/admin/action_logs/_action_log.html.haml +++ b/app/views/admin/action_logs/_action_log.html.haml @@ -4,6 +4,6 @@ = image_tag action_log.account.avatar.url(:original), alt: '', width: 40, height: 40, class: 'avatar' .log-entry__content .log-entry__title - = t("admin.action_logs.actions.#{action_log.action}_#{action_log.target_type.underscore}", name: content_tag(:span, action_log.account.username, class: 'username'), target: content_tag(:span, log_target(action_log), class: 'target')).html_safe + = t("admin.action_logs.actions.#{action_log.action}_#{action_log.target_type.underscore}_html", name: content_tag(:span, action_log.account.username, class: 'username'), target: content_tag(:span, log_target(action_log), class: 'target')) .log-entry__timestamp %time.formatted{ datetime: action_log.created_at.iso8601 } -- cgit