Merge remote-tracking branch 'origin/develop' into develop
This commit is contained in:
commit
b5194cfc80
1 changed files with 1 additions and 7 deletions
|
@ -83,14 +83,8 @@ export function _tJsx(jsxText, patterns, subs) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// tJsxText may be unsafe if malicious translators try to inject HTML.
|
// The translation returns text so there's no XSS vector here (no unsafe HTML, no code execution)
|
||||||
// Run this through sanitize-html and bail if the output isn't identical
|
|
||||||
const tJsxText = _t(jsxText);
|
const tJsxText = _t(jsxText);
|
||||||
const sanitized = sanitizeHtml(tJsxText, { allowedTags: sanitizeHtml.defaults.allowedTags.concat([ 'span' ]) });
|
|
||||||
if (tJsxText !== sanitized) {
|
|
||||||
throw new Error(`_tJsx: translator error. untrusted HTML supplied. '${tJsxText}' != '${sanitized}'`);
|
|
||||||
}
|
|
||||||
|
|
||||||
let output = [tJsxText];
|
let output = [tJsxText];
|
||||||
for (let i = 0; i < patterns.length; i++) {
|
for (let i = 0; i < patterns.length; i++) {
|
||||||
// convert the last element in 'output' into 3 elements (pre-text, sub function, post-text).
|
// convert the last element in 'output' into 3 elements (pre-text, sub function, post-text).
|
||||||
|
|
Loading…
Reference in a new issue