HTML tags in error messages

Hi there,

I have noticed that new-line tags (<br>) are shown in error messages and
would like to fix this.
Actually, I see that someone has already submitted a bug in the Issue
Tracker: Bug #6903: "<br/>" in text when receiving error while deleting multiple hosts - Foreman.

From what I have seen, the error message is sent (for instance, from
app/controllers/hosts_controller.rb:404
<https://github.com/theforeman/foreman/blob/develop/app/controllers/hosts_controller.rb#L404>)
by using the error method that its definition is in
app/controllers/application_controller.rb:172
<https://github.com/theforeman/foreman/blob/develop/app/controllers/application_controller.rb#L172>.
There, the error message is being HTML escaped to avoid XSS attacks, but on
the same time, making the HTML being a part of the error message.

One way to fix this is by using the new line character (\n) instead of the
new line tag in the error message. However, this doesn't work too because
the backslash is also being HTML escaped.
That brings me to suggest to use sanitize
<http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html>
after doing the HTML escape and by that replacing the new-line tag with the
new-line character in the error message.

Unless you have a better idea, I can do this change and submit a PR.

Best Regards.
<http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html>

I think you can mark all the strings containing the '<br>' tags as .html_safe which will cause them to be marked as SafeBuffers.
If I'm not mistaken this will provide better performance then sanitizing the entire strings.
see here for more info: http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/

We've fixed a few similar instances, and I'd suggest simply changing it
to use .to_sentence or .join(',') on the array rather than worrying
about new lines.

OK - I have submitted a pull request
<https://github.com/theforeman/foreman/pull/1698>.

Best Regards,