From 7bd56007bde5d417df73aa74c9d8bb12ad50993b Mon Sep 17 00:00:00 2001
From: Cillian O'Ruanaidh <cillian@users.noreply.github.com>
Date: Mon, 20 Jun 2022 21:48:04 +0100
Subject: [PATCH] Don't use :html_safe in case shipping method name contains
 something malicious in
 app/views/admin/order_cycles/checkout_options.html.haml

Co-authored-by: Maikel <maikel@email.org.au>
---
 app/views/admin/order_cycles/checkout_options.html.haml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/views/admin/order_cycles/checkout_options.html.haml b/app/views/admin/order_cycles/checkout_options.html.haml
index 01ebd9e041..c3f2711900 100644
--- a/app/views/admin/order_cycles/checkout_options.html.haml
+++ b/app/views/admin/order_cycles/checkout_options.html.haml
@@ -61,7 +61,9 @@
                   = input.check_box
                   = input.label
                 %p
-                  = "&mdash;<em>#{shared_shipping_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")}</em>".html_safe
+                  &mdash
+                  %em>
+                    = shared_shipping_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")
           %td
             - if shared_payment_methods.any?
               %ul