⭐ new: HTML locale message warning option #567
Conversation
|
|
||
| * **Read/Write** | ||
|
|
||
| Whether to allow the use locale messages of HTML formatting. |
There was a problem hiding this comment.
🤔 Hmm, I am afirad that I can not understand the feature from this description.
Is this feature intended to detect invalid HTML tags in locale message and raise warn/error?
If so, I suggest to name it like htmlMessageValidationLevel.
There was a problem hiding this comment.
Thank you for your reviewing!
This feature is to detect HTML tags from locale messages to provides increased security.
Another alternative, it name like allowHtmlMessageing
There was a problem hiding this comment.
OK, the feature itself sound very nice.
It looks like off on allow~ means allowing HTML without warning.
It is a bit weired for me, since off is supposed to disable feature and I thought it means "Do Not Allow".
I suggest
allowinstead of `off,- or, name the configuration
warnHtmlInMessage
There was a problem hiding this comment.
Thanks!
allow instead of `off,
or, name the configuration warnHtmlInMessage
It sounds good. 👍
| @@ -105,6 +114,9 @@ export default class VueI18n { | |||
| }) | |||
| } | |||
|
|
|||
| _checkLocaleMessage (locale: Locale, level: AllowHtmlFormattingLevel, message: LocaleMessageObject): void { | |||
| } | |||
There was a problem hiding this comment.
I think it would be helpful if error message suggest users to read Formatting and use component interpolation
Codecov Report
@@ Coverage Diff @@
## dev #567 +/- ##
==========================================
+ Coverage 96.25% 96.38% +0.13%
==========================================
Files 10 10
Lines 720 775 +55
==========================================
+ Hits 693 747 +54
- Misses 27 28 +1
Continue to review full report at Codecov.
|
decls/i18n.js
Outdated
| @@ -59,6 +59,8 @@ declare type FormattedNumberPart = { | |||
| // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/formatToParts#Return_value | |||
| declare type NumberFormatToPartsResult = Array<FormattedNumberPart>; | |||
|
|
|||
| declare type WarnHtmlInMessageLevel = 'allow' | 'warn' | 'error'; | |||
There was a problem hiding this comment.
From this comment, I suggest to change enums like this
WarnHtmlInMessageLevel = 'off' | 'warn' | 'error';
Because allow for Warn~ to disable warnings is very confusing.
off for Warn~ is reasonable enum to disable warning.
There was a problem hiding this comment.
sorry for my miss-understanding...
src/index.js
Outdated
| } else if (typeof message === 'string') { | ||
| const ret = htmlTagMatcher.test(message) | ||
| if (ret) { | ||
| const msg = `Detect unsafe locale message '${message}' of keypath '${stack.join('')}' at '${locale}', suggest use component interpolation with '<i18n>'` |
There was a problem hiding this comment.
I suggest to add followings to give more advidses to users.
- What is a unsafe part of message:
HTML - Why it is unsafe: it may cause vulnerability known as
XSS(technical term) - How to resolve: URL to How to user component interpolation
| const msg = `Detect unsafe locale message '${message}' of keypath '${stack.join('')}' at '${locale}', suggest use component interpolation with '<i18n>'` | |
| const msg = `Detected HTML in message '${message}' of keypath '${stack.join('')}' at '${locale}'. Consider component interpolation with '<i18n>' to avoid XSS. See https://kazupon.github.io/vue-i18n/guide/interpolation.html` |
URL could be shortend by https://bitly.com/
kazupon
changed the title
No description provided.