Don't use :html_safe in case shipping method name contains something malicious in app/views/admin/order_cycles/checkout_options.html.haml

Co-authored-by: Maikel <maikel@email.org.au>
2026-01-24 20:36:49 +00:00 · 2022-06-20 21:48:04 +01:00
parent d9de35799d
commit 7bd56007bd
1 changed files with 3 additions and 1 deletions
--- a/app/views/admin/order_cycles/checkout_options.html.haml
+++ b/app/views/admin/order_cycles/checkout_options.html.haml
@@ -61,7 +61,9 @@
                  = input.check_box
                  = input.label
                %p
-                  = "&mdash;<em>#{shared_shipping_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")}</em>".html_safe
+                  &mdash
+                  %em>
+                    = shared_shipping_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")
          %td
            - if shared_payment_methods.any?
              %ul