-
Notifications
You must be signed in to change notification settings - Fork 11.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[5.6] Revert "escape lang directive echos" #25408
Conversation
This reverts commit d3c0a36.
Isn't it perhaps a security fix? Just wondering though, otherwise it's a big breaking change indeed. |
If it's a security fix, it should have also gone into 5.5, but I don't see anything. Perhaps this needs reverting in 5.6 and re-adding in 5.7? |
It's a security fix and won't be reverted. There was an XSS vulnerability in that situation when passing parameters as the second method to @lang. |
@GrahamCampbell it is in 5.5 as well. I pushed fixes to both branches and will be discussing more tomorrow. |
Shouldn't the parameters be escaped then? Not the full output... language strings can be considered safe!? This was used a lot in my (and from other comments, many) applications to make some text bold or add some other inline styling without breaking up in multiple translation strings. |
It also breaks the "verify email address" link
The link appear as (notice |
Thanks for breaking all my apps in this micro @taylorotwell without any heads-ups, reverting to 5.6.35 for now. |
Same here. Everything is broken in all my apps because I was always using @lang directive for displaying translations. |
I don't recommend it for the long term (especially since this was done out of security reasons, check good what you pass to a language variable!). But in my case I did not have the time to go through all 250 or so language strings with <?php
namespace App\Providers;
use Illuminate\View\Engines\CompilerEngine;
use Illuminate\View\Compilers\BladeCompiler;
use Illuminate\View\ViewServiceProvider as IlluminateViewServiceProvider;
class ViewServiceProvider extends IlluminateViewServiceProvider
{
/**
* Register the Blade engine implementation.
*
* @param \Illuminate\View\Engines\EngineResolver $resolver
*
* @return void
*/
public function registerBladeEngine($resolver)
{
// The Compiler engine requires an instance of the CompilerInterface, which in
// this case will be the Blade compiler, so we'll first create the compiler
// instance to pass into the engine so it can compile the views properly.
$this->app->singleton('blade.compiler', function () {
return new class($this->app['files'], $this->app['config']['view.compiled']) extends BladeCompiler
{
/**
* Compile the lang statements into valid PHP.
*
* @param string $expression
*
* @return string
*/
protected function compileLang($expression)
{
if (is_null($expression)) {
return '<?php $__env->startTranslation(); ?>';
} elseif ($expression[1] === '[') {
return "<?php \$__env->startTranslation{$expression}; ?>";
}
return "<?php echo app('translator')->getFromJson{$expression}; ?>";
}
/**
* Compile the end-lang statements into valid PHP.
*
* @return string
*/
protected function compileEndlang()
{
return '<?php echo $__env->renderTranslation(); ?>';
}
/**
* Compile the choice statements into valid PHP.
*
* @param string $expression
*
* @return string
*/
protected function compileChoice($expression)
{
return "<?php echo app('translator')->choice{$expression}; ?>";
}
};
});
$resolver->register('blade', function () {
return new CompilerEngine($this->app['blade.compiler']);
});
}
} It reverts back to the old way it worked while I go through the process of reworking all things but still can move forward with 5.7 and it's goodness. |
@taylorotwell No chance of escaping just the parameters? Content coming out of the translation files themselves should be considered safe should they not? |
While it is obvious that there is an XSS vulnerability here I don't think this is a proper fix for the problem:
The way this was fixed means that in order to have HTML in translation strings we have to use The proper fix should escape each replacement value individually (in In any case this change should be documented on the Localization page, or better yet a paragraph added to the release notes of affected versions (like it has been done for the cookie encryption fix). |
@at-dro I was about to suggest the same (adding the fix to |
@at-dro Have you looked into an implementation? I'm not sure the |
d3c0a36 is a breaking change because you can no longer use HTML tags inside translations:
5.6.35:
5.6.36:
Now instead of:
I need to use something like:
This affected more than one application.