XSS issue with message translation

[roblillack]

Mars contains a cross-site scripting vulnerability, that allows attackers to inject JavaScript code into the HTML output of your templates, if all of these conditions are met:

1. You are using the string interpolation features as part of your translations strings and
2. User input was is added to these translations strings without escaping and
3. You are using the msg template function to translate messages.

Example translation strings, messages.en:

unable-to-send-msg-error=Unable send message "%s"!

Translation approach that is not vulnerable:

• Controller:

  c.RenderArgs["errMsg"] = c.Message("unable-to-send-msg-error", c.Params.Get("message"))
  

• View:

  <p class="error">{{.errMsg}}</p>
  

Translation approach that is vulnerable:

• Controller:

  c.RenderArgs["usersMessage"] = c.Params.Get("message")
  

• View:

  <p class="error">{{msg $ `unable-to-send-msg-error` .usersMessage}}</p>
  

The fix for this issue will disable HTML message translation strings, a better approach to allow those kind of strings will be implemented using a separate ticket.

Thanks to @ptman for reporting this.