[security] Translations can inject JavaScript code into the extension

[palant]

I noticed that uBlock Origin applies translations by effectively assigning the translated string to element.innerHTML. This means that a translation like Fake translation<img src="dummy" onerror="alert(/xss/)"> will run JavaScript code in the context of your extension. I played with the thought of submitting an Easter egg via Crowdin translation in order to see when this would be caught but opted for responsible disclosure in the end.

For reference, Adblock Plus uses HTML tags in translations merely as placeholders, translations are always being applied via DOM methods that cannot have unexpected side-effects. It's probably best if you use something similar rather than verifying translations manually.

[gorhill]

This was first reported through email, so here is the exchange which followed:

@gorhill:

Thanks for the heads-up.

I do check manually all translation changes, but I agree that not using innerHTML and supporting some sort of markdown mechanism to manually parse and only support the smallest necessary set of HTML tags is best (though I will still need to always review manually all changes).

Do you mind if I open an issue on uBO's issue tracker with the content of your message above and identifying you the person who reported the issue?

@palant:

I don't. I originally meant to do so myself but it's still a security issue and didn't want to post it publicly.

regards

@gorhill:

Ok, I will let you open the issue then. I don't see the public disclosure as being a problem since I do check manually with Meld all translations when I import them, even more carefully now with being aware of the issue.