Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix!: Only sanitize the result string when replacing variables #648

Merged
merged 1 commit into from
Sep 24, 2023

Conversation

susnux
Copy link
Contributor

@susnux susnux commented Jun 27, 2023

Not sure if this is a bug fix or a new feature but:

There is no need to sanitize the replacement values as it is sufficient to sanitize the result.

  1. This will improve the performance if multiple placeholders are used.
  2. This allows this: See {linkstart}documentation{linkend} with { linkstart: '<a ...>', linkend: '</a>' } while the string is still sanitized.

@codecov
Copy link

codecov bot commented Jun 27, 2023

Codecov Report

Patch coverage: 100.00% and project coverage change: +1.59 🎉

Comparison is base (7360cce) 84.57% compared to head (f112d14) 86.17%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #648      +/-   ##
==========================================
+ Coverage   84.57%   86.17%   +1.59%     
==========================================
  Files           6        6              
  Lines         188      188              
  Branches       67       67              
==========================================
+ Hits          159      162       +3     
+ Misses         28       23       -5     
- Partials        1        3       +2     
Impacted Files Coverage Δ
lib/translation.ts 73.73% <100.00%> (+3.03%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@susnux susnux changed the title fix: Only sanitize the built string fix: Only sanitize the result string when replacing variables Jun 27, 2023
@ChristophWurst ChristophWurst requested review from nickvergessen and removed request for ChristophWurst June 27, 2023 16:48
@ChristophWurst
Copy link
Contributor

this is a review job for our sanitization connoisseur @nickvergessen

* but the variables are used defined so not allowed types could still be given,
* in this case ignore the replacement and use the placeholder
*/
return optEscape(match)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with the escape on all the returns, that should be fine (and could have some tests if it makes a difference).

return optSanitize(optEscape(r))
const replacement = vars[key]
if (typeof replacement === 'string' || typeof replacement === 'number') {
return optEscape(`${replacement}`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see how the removal of the sanitize fixes the test that you added. We've been working around this for a long time with the following trick:
https://github.com/nextcloud/server/blob/8633f13e0af8c803cd419af2a611c41708e9c7c1/apps/theming/src/UserThemes.vue#L134-L139

I can see how it can be useful. But there could be a problem if the parameters are user input etc, but in most such cases we would use escape anyway and that should prevent most issues.
However, I would see this as a breaking change (just to raise awareness with in the changelog).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but in most such cases we would use escape anyway and that should prevent most issues.

Yes and the result is still sanitized, just not every variable but only the result.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nickvergessen So even if escaping is deactivated user input would still be sanitized, which we already test here:
https://github.com/nextcloud/nextcloud-l10n/blob/f112d1401214675bf26f2a52efa8e91e78bf6d76/tests/translation.test.ts#L63

@nickvergessen nickvergessen changed the title fix: Only sanitize the result string when replacing variables fix!: Only sanitize the result string when replacing variables Jun 28, 2023
Copy link

@kesselb kesselb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

Copy link

@Antreesy Antreesy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine by the code to use template literals = value here, instead of sanitizing the variable

@skjnldsv
Copy link
Contributor

skjnldsv commented Aug 1, 2023

Merge or not to merge @susnux ? :)

There is no need to sanitize the replacement values as it is sufficient to sanitize the result.
1. This will improve the performance if multiple placeholders are used.
2. This allows this: `See {linkstart}documentation{linkend}` with `{ linkstart: '<a ...>', linkend: '</a>' }` while the string is still sanitized.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@skjnldsv skjnldsv force-pushed the fix/only-sanitize-full-string branch from f112d14 to 586c3b2 Compare August 1, 2023 08:03
@susnux
Copy link
Contributor Author

susnux commented Aug 1, 2023

Merge or not to merge ? :)

@skjnldsv merge, but that would mean the next release is a major version bump.

@susnux susnux merged commit d97aee1 into master Sep 24, 2023
@susnux susnux deleted the fix/only-sanitize-full-string branch September 24, 2023 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3. to review enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants