From bd853c6265b572f19676921de689fe96a00b2c51 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Sat, 7 Sep 2024 12:00:12 +0300
Subject: [PATCH] html escape simple format

---
 app/views/submissions/show.html.erb                | 2 +-
 app/views/submitter_mailer/declined_email.html.erb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/submissions/show.html.erb b/app/views/submissions/show.html.erb
index bc7eca555..5011e02b9 100644
--- a/app/views/submissions/show.html.erb
+++ b/app/views/submissions/show.html.erb
@@ -154,7 +154,7 @@
               <div class="flex items-center space-x-1 mt-1">
                 <span>
                   Reason:
-                  <%= simple_format(submitter.submission_events.find_by(event_type: :decline_form).data['reason']) %>
+                  <%= simple_format(h(submitter.submission_events.find_by(event_type: :decline_form).data['reason'])) %>
                 </span>
               </div>
             <% end %>
diff --git a/app/views/submitter_mailer/declined_email.html.erb b/app/views/submitter_mailer/declined_email.html.erb
index 382390923..24d6f9196 100644
--- a/app/views/submitter_mailer/declined_email.html.erb
+++ b/app/views/submitter_mailer/declined_email.html.erb
@@ -1,4 +1,4 @@
 <p><%= t('hi_there') %>,</p>
 <p><%= t('name_declined_by_submitter_with_the_following_reason', name: @submitter.submission.template.name, submitter: @submitter.name || @submitter.email || @submitter.phone) %></p>
-<%= simple_format(@submitter.submission_events.find_by(event_type: :decline_form).data['reason']) %>
+<%= simple_format(h(@submitter.submission_events.find_by(event_type: :decline_form).data['reason'])) %>
 <p><%= link_to t('view'), submission_url(@submitter.submission) %></p>