Remove insecure HTML tags in translations

2018-09-14 11:50:46 +02:00 · 2018-09-14 11:50:46 +02:00 · 0ef86bba2d
parent 3898d69c46
commit 0ef86bba2d
5 changed files with 23 additions and 7 deletions
--- a/app/coffee/modules/common/confirm.coffee
+++ b/app/coffee/modules/common/confirm.coffee
@ -42,9 +42,9 @@ NOTIFICATION_MSG = {


 class ConfirmService extends taiga.Service
-    @.$inject = ["$q", "lightboxService", "$tgLoading", "$translate"]
+    @.$inject = ["$q", "lightboxService", "$tgLoading", "$translate", "$filter"]

-    constructor: (@q, @lightboxService, @loading, @translate) ->
+    constructor: (@q, @lightboxService, @loading, @translate, @filter) ->
        bindMethods(@)

    hide: (el)->
@ -61,7 +61,9 @@ class ConfirmService extends taiga.Service
        # Render content
        el.find(".title").text(title) if title
        el.find(".subtitle").text(subtitle) if subtitle
-        el.find(".message").text(message) if message
+        if message
+            message = @filter('textToHTML')(message)
+            el.find(".message").html(message)

        # Assign event handlers
        el.on "click.confirm-dialog", ".button-green", debounce 2000, (event) =>
--- a/app/coffee/modules/common/filters.coffee
+++ b/app/coffee/modules/common/filters.coffee
@ -152,3 +152,12 @@ emojify = ($emojis) ->
        return ""

 module.filter("emojify", ["$tgEmojis", emojify])
+
+textToHTML = ($filter) ->
+    return (input) ->
+        if input
+            return input.replace(/\<(?!(\/?)(strong|br)(\/?)).*?\>/g, "")
+
+        return ""
+
+module.filter("textToHTML", ["$filter", textToHTML])
--- a/app/coffee/modules/issues/detail.coffee
+++ b/app/coffee/modules/issues/detail.coffee
@ -738,8 +738,10 @@ lightboxService, $modelTransform, $confirm) ->
                currentSprint = _.find(data.milestones, { "id": issue.milestone })

                title = $translate.instant("ISSUES.CONFIRM_DETACH_FROM_SPRINT.TITLE")
-                message = $translate.instant("ISSUES.CONFIRM_DETACH_FROM_SPRINT.MESSAGE")
-                message += " <strong>#{currentSprint.name}</strong>"
+                message = $translate.instant(
+                    "ISSUES.CONFIRM_DETACH_FROM_SPRINT.MESSAGE",
+                    {sprintName: currentSprint.name}
+                )

                $confirm.ask(title, null, message).then (askResponse) ->
                    onSuccess = ->
--- a/app/coffee/modules/taskboard/main.coffee
+++ b/app/coffee/modules/taskboard/main.coffee
@ -566,7 +566,10 @@ class TaskboardController extends mixOf(taiga.Controller, taiga.PageMixin, taiga
            issue = issue.set('loading-delete', false)
            title = @translate.instant("ISSUES.CONFIRM_DETACH_FROM_SPRINT.TITLE")
            message = @translate.instant("ISSUES.CONFIRM_DETACH_FROM_SPRINT.MESSAGE")
-            message += " <strong>#{@scope.sprint.name}</strong>"
+            message = @translate.instant(
+                "ISSUES.CONFIRM_DETACH_FROM_SPRINT.MESSAGE",
+                {sprintName: @scope.sprint.name}
+            )

            @confirm.ask(title, null, message).then (askResponse) =>
                removingIssue.milestone = null
--- a/app/locales/taiga/locale-en.json
+++ b/app/locales/taiga/locale-en.json
@ -1458,7 +1458,7 @@
        "FILTER_ISSUES": "Filter Issues",
        "CONFIRM_DETACH_FROM_SPRINT": {
            "TITLE": "Detach issue from Sprint",
-            "MESSAGE": "You are about to detach the issue from the sprint"
+            "MESSAGE": "You are about to detach the issue from the sprint <strong>{{ sprintName }}<strong>"
        },
        "CONFIRM_CHANGE_FROM_SPRINT": {
            "TITLE": "Attach issue to Sprint",