fix(i18n): escape interpolated values inside of <Translate> #5804
+156
−18
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
If using the
<Translate>
component (which utilizes the "simple parser"), and passing it values for interpolation that contained angle brackets (<
) or full on XML tags (<svg>
), the parser would treat this as "nested tags" and error out.Since these interpolated values can contain user input (eg document titles), this can happen without us having control of it (The document "<3 is in the air" was published).
Wasn't quite sure about the right approach here, but the implementation I've gone for is one where the parser also tokenizes interpolations, and has the
<Translate>
function replace the values as it goes. One drawback with this approach is that you cannot use formatters from i18next when using the<Translate>
function, but I felt this was an acceptable shortcoming for now that we can address later.What to review
<>
characters inside of values passed to it, both outside of HTML tags and within themTesting
Added tests for interpolation to parser, and for rendering the interpolated values (with and without angle brackets) in Translate
Notes for release
<
,>
) in document titles could lead to an error being shown on publish and other operations