Merge pull request #976 from koic/fix_a_false_positive_for_rails_output_safety

koic · web-flow · commit a95542251a39 · 2023-04-07T00:23:05.000+09:00
[Fix #501] Fix a false positive for `Rails/OutputSafety`
diff --git a/changelog/fix_a_false_positive_for_rails_output_safety.md b/changelog/fix_a_false_positive_for_rails_output_safety.md
@@ -0,0 +1 @@
+* [#501](https://github.com/rubocop/rubocop-rails/issues/501): Fix a false positive for `Rails/OutputSafety` when using `html_safe` for `I18n` methods. ([@koic][])
diff --git a/lib/rubocop/cop/rails/output_safety.rb b/lib/rubocop/cop/rails/output_safety.rb
@@ -66,8 +66,12 @@ class OutputSafety < Base
         MSG = 'Tagging a string as html safe may be a security risk.'
         RESTRICT_ON_SEND = %i[html_safe raw safe_concat].freeze
 
+        def_node_search :i18n_method?, <<~PATTERN
+          (send {nil? (const {nil? cbase} :I18n)} {:t :translate :l :localize} ...)
+        PATTERN
+
         def on_send(node)
-          return if non_interpolated_string?(node)
+          return if non_interpolated_string?(node) || i18n_method?(node)
 
           return unless looks_like_rails_html_safe?(node) ||
                         looks_like_rails_raw?(node) ||
diff --git a/spec/rubocop/cop/rails/output_safety_spec.rb b/spec/rubocop/cop/rails/output_safety_spec.rb
@@ -130,5 +130,57 @@
                        ^^^ Tagging a string as html safe may be a security risk.
       RUBY
     end
+
+    it 'does not register an offense when using `html_safe` for `I18n.t` method' do
+      expect_no_offenses(<<~RUBY)
+        I18n.t('foo.bar.baz', scope: [:x, :y, :z]).html_safe
+        ::I18n.t('foo.bar.baz', scope: [:x, :y, :z]).html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `I18n.translate` method' do
+      expect_no_offenses(<<~RUBY)
+        I18n.translate('foo.bar.baz', scope: [:x, :y, :z]).html_safe
+        ::I18n.translate('foo.bar.baz', scope: [:x, :y, :z]).html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `t` method' do
+      expect_no_offenses(<<~RUBY)
+        t('foo.bar.baz').html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `translate` method' do
+      expect_no_offenses(<<~RUBY)
+        translate('foo.bar.baz').html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `I18n.l` method' do
+      expect_no_offenses(<<~RUBY)
+        I18n.l(Time.now, locale: :de).html_safe
+        ::I18n.l(Time.now, locale: :de).html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `I18n.localize` method' do
+      expect_no_offenses(<<~RUBY)
+        I18n.localize(Time.now, locale: :de).html_safe
+        ::I18n.localize(Time.now, locale: :de).html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `l` method' do
+      expect_no_offenses(<<~RUBY)
+        l(Time.now).html_safe
+      RUBY
+    end
+
+    it 'does not register an offense when using `html_safe` for `localize` method' do
+      expect_no_offenses(<<~RUBY)
+        localize(Time.now).html_safe
+      RUBY
+    end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+* [#501](https://github.com/rubocop/rubocop-rails/issues/501): Fix a false positive for `Rails/OutputSafety` when using `html_safe` for `I18n` methods. ([@koic][])