From 0923dd37ab3f3456ad018dce7399c557dd37ca52 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Sat, 31 Jul 2021 11:43:05 -0600 Subject: [PATCH] Sanitize untrusted variables from message previews before translation Fixes https://github.com/vector-im/element-web/issues/18314 --- src/languageHandler.tsx | 11 +++++++++++ src/stores/room-list/previews/MessageEventPreview.ts | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/languageHandler.tsx b/src/languageHandler.tsx index e7329e4f2e..3c57c252ee 100644 --- a/src/languageHandler.tsx +++ b/src/languageHandler.tsx @@ -160,6 +160,17 @@ export function _t(text: string, variables?: IVariables, tags?: Tags): Translate } } +/** + * Sanitizes unsafe text for the sanitizer, ensuring references to variables will not be considered + * replaceable by the translation functions. + * @param {string} text The text to sanitize. + * @returns {string} The sanitized text. + */ +export function sanitizeForTranslation(text: string): string { + // Add a non-breaking space so the regex doesn't trigger when translating. + return text.replace(/\$\(([^)]*)\)/g, '$\xa0($1)'); +} + /* * Similar to _t(), except only does substitutions, and no translation * @param {string} text The text, e.g "click here now to %(foo)s". diff --git a/src/stores/room-list/previews/MessageEventPreview.ts b/src/stores/room-list/previews/MessageEventPreview.ts index 04fb92f0c1..961f27fda1 100644 --- a/src/stores/room-list/previews/MessageEventPreview.ts +++ b/src/stores/room-list/previews/MessageEventPreview.ts @@ -17,7 +17,7 @@ limitations under the License. import { IPreview } from "./IPreview"; import { TagID } from "../models"; import { MatrixEvent } from "matrix-js-sdk/src/models/event"; -import { _t } from "../../../languageHandler"; +import { _t, sanitizeForTranslation } from "../../../languageHandler"; import { getSenderName, isSelf, shouldPrefixMessagesIn } from "./utils"; import ReplyThread from "../../../components/views/elements/ReplyThread"; import { getHtmlText } from "../../../HtmlUtils"; @@ -58,6 +58,8 @@ export class MessageEventPreview implements IPreview { body = getHtmlText(body); } + body = sanitizeForTranslation(body); + if (msgtype === 'm.emote') { return _t("* %(senderName)s %(emote)s", { senderName: getSenderName(event), emote: body }); }