html escape simple format

1 year ago · bd853c6265
parent 5a1efd0e27
commit bd853c6265
2 changed files with 2 additions and 2 deletions
--- a/app/views/submissions/show.html.erb
+++ b/app/views/submissions/show.html.erb
@ -154,7 +154,7 @@
              <div class="flex items-center space-x-1 mt-1">
                <span>
                  Reason:
-                  <%= simple_format(submitter.submission_events.find_by(event_type: :decline_form).data['reason']) %>
+                  <%= simple_format(h(submitter.submission_events.find_by(event_type: :decline_form).data['reason'])) %>
                </span>
              </div>
            <% end %>
--- a/app/views/submitter_mailer/declined_email.html.erb
+++ b/app/views/submitter_mailer/declined_email.html.erb
@ -1,4 +1,4 @@
 <p><%= t('hi_there') %>,</p>
 <p><%= t('name_declined_by_submitter_with_the_following_reason', name: @submitter.submission.template.name, submitter: @submitter.name || @submitter.email || @submitter.phone) %></p>
-<%= simple_format(@submitter.submission_events.find_by(event_type: :decline_form).data['reason']) %>
+<%= simple_format(h(@submitter.submission_events.find_by(event_type: :decline_form).data['reason'])) %>
 <p><%= link_to t('view'), submission_url(@submitter.submission) %></p>