Merge pull request #305 from alphagov/no-html-safe

Avoid usage of html_safe
alphagov · May 11, 2018 · 76c2aa7 · 76c2aa7
2 parents 7161c7d + 72c089e
commit 76c2aa7
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Unreleased
 
+* The Button component no longer accepts unescaped HTML in the `info_text`,
+  you'll have to call `html_safe` on it yourself. Probably the only affected
+  application is `frontend` (#305)
 * Remove optional `canonical` meta tag (applications can add this tag explicitly if they need it)
 
 # 7.3.0

diff --git a/app/views/govuk_publishing_components/components/_button.html.erb b/app/views/govuk_publishing_components/components/_button.html.erb
@@ -18,12 +18,12 @@
   html_options[:title] = title if title
 %>
 <% if href %>
-  <%= link_to(text, href.try(:html_safe), html_options) %>
+  <%= link_to(text, href, html_options) %>
 <% else %>
   <%= button_tag(text, html_options) %>
 <% end %>
 <% if info_text %>
   <span class="gem-c-button__info-text">
-    <%= info_text.try(:html_safe) %>
+    <%= info_text %>
   </span>
 <% end %>
diff --git a/app/views/govuk_publishing_components/components/_taxonomy_navigation.html.erb b/app/views/govuk_publishing_components/components/_taxonomy_navigation.html.erb
@@ -102,7 +102,7 @@
                 </li>
                 <li class="gem-c-taxonomy-navigation__link">
                   <span id="toggle_<%= section_name %>" class="js-hidden">
-                    <%= hidden_links.to_sentence.html_safe %>
+                    <%= to_sentence(hidden_links) %>
                   </span>
                 </li>
               <% end %>

diff --git a/app/views/govuk_publishing_components/components/related_navigation/_section.html.erb b/app/views/govuk_publishing_components/components/related_navigation/_section.html.erb
@@ -55,7 +55,7 @@
 
       <li class="gem-c-related-navigation__link">
         <span id="toggle_<%= section_title %>" class="js-hidden">
-          <%= constructed_link_array.to_sentence.html_safe %>
+          <%= to_sentence(constructed_link_array) %>
         </span>
       </li>
     <% end %>

diff --git a/lib/govuk_publishing_components/presenters/step_by_step_nav_helper.rb b/lib/govuk_publishing_components/presenters/step_by_step_nav_helper.rb
@@ -84,7 +84,12 @@ def create_list_item_content(link)
         if link[:href]
           @link_index += 1
           href = link_href(link[:active], link[:href])
-          text = "#{link_text(link[:active], link[:text])} #{create_context(link[:context])}".html_safe
+
+          text = capture do
+            concat link_text(link[:active], link[:text])
+            concat " "
+            concat create_context(link[:context])
+          end
 
           link_to(
             href,

diff --git a/spec/components/all_components_spec.rb b/spec/components/all_components_spec.rb
@@ -0,0 +1,9 @@
+require 'rails_helper'
+
+describe "All components" do
+  it "doesn't use `html_safe`" do
+    files_with_html_safe = `grep -rni "html_safe" app/views/govuk_publishing_components/components`.lines
+
+    expect(files_with_html_safe).to be_empty
+  end
+end