Skip to content
This repository has been archived by the owner on Jan 29, 2024. It is now read-only.

Issue with "escapeParameters" sanitization strategy and jQuery. #1529

Closed
yjaaidi opened this issue Jul 4, 2016 · 2 comments
Closed

Issue with "escapeParameters" sanitization strategy and jQuery. #1529

yjaaidi opened this issue Jul 4, 2016 · 2 comments
Milestone
2.11.1

Comments

@yjaaidi
Copy link
Contributor

yjaaidi commented Jul 4, 2016

Hi,

I'm having an issue when using "escapeParameters" sanitizing strategy and "jQuery".
Actually, after some debug, I found that when passing a object as an interpolation parameter it gets processed by mapInterpolationParameters and calls htmlEscapeValue on every property including functions.
The problem is that the current escaping function calls angular.element('<div>').text(value) but when using jQuery if value is a function, it will be called by element.text.

An additional condition should be added to check that if a value is a function then it should not be escaped.

By the way, it could be better to contribute to "MessageFormat" and allow it to only escape the properties when used in the message format otherwise with the current approach, each translation escapes all the properties even if they are never used.

Here's the associated plunker.
https://plnkr.co/edit/NvpKzg?p=preview

Thank you in advance!
@yjaaidi yjaaidi mentioned this issue Jul 4, 2016
Closed
4 tasks
@knalli
Copy link
Member

knalli commented Jul 4, 2016

Thank for the pull request.

What do you mean with

By the way, it could be better to contribute to "MessageFormat" and allow it to only escape the properties when used in the message format otherwise with the current approach, each translation escapes all the properties even if they are never used.

?

@yjaaidi
Copy link
Contributor Author

yjaaidi commented Jul 4, 2016

Hi Jan,

Sorry, my description was not very clear.

Actually, there's an issue with mapInterpolationParameters ; any parameters that you pass will be recursively processed by this function that "escapes/sanitizes" all the properties, sub properties etc... but at the end we will only use few properties in the interpolation applied by "MessageFormat" library.
In addition to this, without one-time binding, every translated item will reprocess all properties recursively at every digest cycle.
This can have an impact on performance.
It would be better if "MessageFormat" could call our "escape/sanitize" function on every item we interpolate.

For example, suppose, we have the following params:

{
  user: {
    firstName: 'Foo',
    friends: [
      {
        firstName: 'John'
      }
      ...
    ]
  }
}

and suppose our message format looks like this:

'Hello {user.firstName}.'

It is currently a waste of time to escape all the firstName properties of every friend.

Of course, a workaround would be to only pass the properties we are using in the message format and in most cases we are in this situation but it comes handy to pass a user object to interpolate it's firstName property and the side-effect is that all the properties and sub proberties will be "escaped/sanitized" even though we are not using them in the message format.

Actually, instead of looping recursively through properties, maybe we could use MessageFormat's formatters and apply a custom formatter to "escape/sanitize" strings...
https://messageformat.github.io/messageformat.js/doc/MessageFormat.formatters.html
But I don't think that it is actually possible to add a default formatter for all strings.

Thanks for your help!

knalli pushed a commit that referenced this issue Jul 17, 2016
@yjaaidi @knalli
fix(service): avoid sanitizing of functions
492d8e5 
Fixes #1529
@knalli knalli added this to the 2.11.1 milestone Jul 17, 2016
@knalli knalli closed this as completed Jul 17, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.11.1
Development

No branches or pull requests
2 participants
@knalli @yjaaidi