rubocop-rails icon indicating copy to clipboard operation
rubocop-rails copied to clipboard

Published 20 hours ago verified publisher icon rubocop

Rails/OutputSafety for i18n HTML strings

Open schmijos opened this issue 3 years ago • 0 comments

I've got a helper method:

def link_to_terms_of_service
  I18n.t('booking.general.terms_of_service_html',
         terms: link_to(t('activerecord.attributes.time_slot_booking.accepted_terms'),
                        terms_of_service_path,
                        target: '_blank', rel: 'noopener')).html_safe
end

It's being used to generate HTML looking like this: image

Expected

I would expect that this works flawlessly, because Rails uses the convention to treat i18n keys ending with _html as safe.

Actual

But actually Rubocop complains:

app/helpers/user_helper.rb:26:63: C: Rails/OutputSafety: Tagging a string as html safe may be a security risk.
                          target: '_blank', rel: 'noopener')).html_safe
                                                              ^^^^^^^^^

Workaround

In the past we used sanitize to work around this problem, but that's not the right measure in my eyes. All generated HTML code in this example is framework-owned. Why should I not be able to mark it as safe?

RuboCop version

$ [bundle exec] rubocop -V
1.15.0 (using Parser 3.0.1.1, rubocop-ast 1.7.0, running on ruby 2.7.1 x86_64-darwin17)
  - rubocop-performance 1.11.3
  - rubocop-rails 2.10.1
  - rubocop-rspec 2.3.0

schmijos avatar May 31 '21 14:05 schmijos