From 1ab52652f7440f868d2d650dfc0d1327574bf6ce Mon Sep 17 00:00:00 2001 From: Kegan Dougal Date: Wed, 31 May 2017 09:29:43 +0100 Subject: [PATCH] Strip out sanitizeHtml stuff as it's not required As per https://github.com/matrix-org/matrix-react-sdk/pull/968#issuecomment-304946341 --- src/languageHandler.js | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/languageHandler.js b/src/languageHandler.js index 961838b770..e447a5678b 100644 --- a/src/languageHandler.js +++ b/src/languageHandler.js @@ -83,14 +83,8 @@ export function _tJsx(jsxText, patterns, subs) { } } - // tJsxText may be unsafe if malicious translators try to inject HTML. - // Run this through sanitize-html and bail if the output isn't identical + // The translation returns text so there's no XSS vector here (no unsafe HTML, no code execution) const tJsxText = _t(jsxText); - const sanitized = sanitizeHtml(tJsxText, { allowedTags: sanitizeHtml.defaults.allowedTags.concat([ 'span' ]) }); - if (tJsxText !== sanitized) { - throw new Error(`_tJsx: translator error. untrusted HTML supplied. '${tJsxText}' != '${sanitized}'`); - } - let output = [tJsxText]; for (let i = 0; i < patterns.length; i++) { // convert the last element in 'output' into 3 elements (pre-text, sub function, post-text).