Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape error messages #7308

Merged
merged 4 commits into from
Jun 28, 2017
Merged

Escape error messages #7308

merged 4 commits into from
Jun 28, 2017

Conversation

rodrigok
Copy link
Member

@RocketChat/core

@rodrigok rodrigok added this to the 0.58.0 milestone Jun 22, 2017
@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-7308 June 22, 2017 19:08 Inactive
Copy link
Member

@sampaiodiego sampaiodiego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the return of TAPi18n.__ be escaped instead of translation key?

@rodrigok
Copy link
Member Author

@sampaiodiego Why, the result is the combination of the user input with the translation string, the only part that can be used to execute JS without our knowledge is the user input. That way we allow some HTML formatting inside our translation strings prevent undesired HTML execution from user input.

@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-7308 June 22, 2017 21:03 Inactive
@rodrigok rodrigok modified the milestones: 0.57.0, 0.58.0 Jun 27, 2017
@rodrigok rodrigok merged commit 5207aac into develop Jun 28, 2017
@rodrigok rodrigok deleted the improvements/escape-error-messages branch June 28, 2017 14:05
rodrigok added a commit that referenced this pull request Jun 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants