Skip to content

Fix HTML escaping for partner email sharing#11491

Merged
aduth merged 4 commits intomainfrom
aduth-select-email-html-escaping
Nov 12, 2024
Merged

Fix HTML escaping for partner email sharing#11491
aduth merged 4 commits intomainfrom
aduth-select-email-html-escaping

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Nov 12, 2024

🛠 Summary of changes

Fixes an issue where partner email selection text was showing as escaped HTML.

The content was recently updated in #11468 to add HTML, and while the string key is correctly suffixed with _html, one of two views uses I18n.t instead of t, which does not perform automatic unescaping (docs).

📜 Testing Plan

Verify the text does not show escaped HTML:

  1. Run sample application in parallel to IdP
  2. Prerequisite: If you've already consented with partner application, sign in and revoke consent from "Connected Accounts" account page
  3. Go to http://localhost:9292
  4. Click "Sign in"
  5. Complete sign-in up to consent screen
  6. Click "Change" if you see it. Otherwise, click "Add new email" and complete this flow
  7. Observe introduction paragraph of email selection screen does not include escaped HTML

👀 Screenshots

Before After
Screenshot 2024-11-12 at 7 23 31 AM Screenshot 2024-11-12 at 7 23 38 AM

@aduth aduth requested a review from a team November 12, 2024 12:39
@aduth
Fix HTML escaping for partner email sharing
2ce0dda 
changelog: Upcoming Features, Partner Email Selection, Fix HTML escaping for partner email sharing
@aduth aduth force-pushed the aduth-select-email-html-escaping branch from 646435c to 2ce0dda Compare November 12, 2024 13:14
zachmargolis
zachmargolis approved these changes Nov 12, 2024
View reviewed changes
aduth and others added 2 commits November 12, 2024 13:17
@aduth
Add linter for html-safe translation calls
563fa02
@aduth @zachmargolis
Reword spec description for showing user emails
a5f535c 
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
@aduth
Copy link
Contributor Author

aduth commented Nov 12, 2024

I added a custom Rubocop linter in 563fa02, since it seems easy enough to flag calls to I18n.t with a string key ending with _html.

I had to limit this to apply only to views for now, since there's a lot of false positives in the backend Ruby code, particularly for error messages that are created with I18n.t and marked as safe after-the-fact.

zachmargolis
zachmargolis reviewed Nov 12, 2024
View reviewed changes
@aduth aduth merged commit bb9c75f into main Nov 12, 2024
@aduth aduth deleted the aduth-select-email-html-escaping branch November 12, 2024 19:48
@jmdembe jmdembe mentioned this pull request Nov 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@zachmargolis zachmargolis zachmargolis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aduth @zachmargolis