Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a constructor config flag that automatically escapes html in parameters #1002

Closed
gardarh opened this issue Sep 11, 2020 · 3 comments
Closed

Add a constructor config flag that automatically escapes html in parameters #1002

gardarh opened this issue Sep 11, 2020 · 3 comments
Labels
Status: Proposal Request for comments Type: Feature Includes new features

Comments

@gardarh
Copy link
Contributor

gardarh commented Sep 11, 2020
edited

In some cases using component interpolation is inconvenient (example case when a string needs to be crafted in code and sent into a child component).

I commonly use "minor" html tags in translation strings, e.g. the <b> tag. However this causes a very subtle XSS attack vector where I need to be very careful not to pass user input directly as interpolation parameters.

I would like to be able to send a flag (e.g. escapeParameterHtml) into the VueI18n constructor:

export const i18n = new VueI18n({
  escapeParameterHtml: true,
  messages: translations,
})

This would add the following step to the BaseFormatter.interpolate, roughly so:

export const escapeHtml = function(rawText: string): string {
  return rawText
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
}

class BaseFormatter {
interpolate (message: string, values: any): Array<any> {
...
if(options.escapeParameterHtml) {
    values = Object.entries(values).map([key, value] => [key, escapeHtml(value)])
}
}

If I could create a custom formatter that extended the BaseFormatter this would be simple to do without modifying the library but unfortunately the BaseFormatter class is not exported.
@kazupon kazupon added Status: Proposal Request for comments Type: Feature Includes new features labels Sep 13, 2020
@gardarh
Copy link
Contributor Author

gardarh commented Oct 1, 2020

If this feature aligns with the project philosophy I could implement it and submit a PR. @kazupon Please let me know and I'll get to it.

@kazupon
Copy link
Owner

kazupon commented Oct 1, 2020

Sorry, lately my reply.

That sounds good.
You can send a PR. :)

gardarh pushed a commit to gardarh/vue-i18n that referenced this issue Oct 6, 2020
Add escapeParameterHtml parameter. kazupon#1002
768828f
gardarh pushed a commit to gardarh/vue-i18n that referenced this issue Oct 6, 2020
Add escapeParameterHtml parameter. kazupon#1002
614fc8e
gardarh pushed a commit to gardarh/vue-i18n that referenced this issue Oct 6, 2020
Add escapeParameterHtml parameter. kazupon#1002
1bdab54
@gardarh gardarh mentioned this issue Oct 6, 2020
Merged
gardarh pushed a commit to gardarh/vue-i18n that referenced this issue Oct 6, 2020
Add escapeParameterHtml parameter. kazupon#1002
b584bf2
kazupon pushed a commit that referenced this issue Oct 6, 2020
@gardarh
Add escapeParameterHtml parameter. #1002 (#1009)
db6edc3 
Co-authored-by: Gardar Hauksson <gardarh@payanalytics.com>
@kazupon
Copy link
Owner

kazupon commented Oct 6, 2020

Merged.

@kazupon kazupon closed this as completed Oct 6, 2020
@kazupon kazupon mentioned this issue Oct 6, 2020
Merged
gardarh pushed a commit to gardarh/vue-i18n that referenced this issue Oct 6, 2020
Fix typo, espaceParameterHtml -> escapeParameterHtml in README. kazup…
6a3385d 
…on#1002
exoego added a commit that referenced this issue Oct 6, 2020
@exoego
Merge pull request #1012 from gardarh/1002-fix-escapeParameterHtml-ty…
e2319f2 
…po-in-readme

Fix typo, espaceParameterHtml -> escapeParameterHtml in README. #1002
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Proposal Request for comments Type: Feature Includes new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kazupon @gardarh