Escape format parameter via `html_escape_once` in `safe_format` (!121187) · Merge requests · GitLab.org / GitLab

Peter Leitzen requested to merge pl-safe-format-html-escape-once into master May 18, 2023

What does this MR do and why?

This allows format parameter in safe_format to contain escaped entities and avoid double escaping.

This is convenient for the following pattern we often see. From https://docs.gitlab.com/ee/development/i18n/externalization.html#including-angle-brackets:

# before
html_escape_once(_('In &lt; hour')).html_safe

# after
safe_format(_('In &lt; hour'))

This also drops the risky .html_safe call from these instances.

Note that html_escape_once is also faster than html_escape.

In terms of security, the output of html_escape_once and html_escape is equivalent with the sole exception that the former does not escape already escaped entities.

See https://github.com/rails/rails/blob/v6.1.7.2/activesupport/test/core_ext/string_ext_test.rb#L1000-L1029

Refs

Follow-up of Add convenience helper method `safe_format` (!118632 - merged)
Contributes to Enforce use of `safe_format` for externalized s... (#374091 - closed)
Contributes to Prohibit calling .html_safe in views (#408826)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 18, 2023 by Peter Leitzen

Escape format parameter via `html_escape_once` in `safe_format`

What does this MR do and why?

Refs

MR acceptance checklist

Merge request reports