mirror of
https://github.com/element-hq/element-web
synced 2024-11-25 10:45:51 +03:00
Merge pull request from GHSA-f69q-vrfp-27g2
Sanitize untrusted variables from message previews before translation
This commit is contained in:
commit
cb00796a25
2 changed files with 14 additions and 1 deletions
|
@ -160,6 +160,17 @@ export function _t(text: string, variables?: IVariables, tags?: Tags): Translate
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Sanitizes unsafe text for the sanitizer, ensuring references to variables will not be considered
|
||||
* replaceable by the translation functions.
|
||||
* @param {string} text The text to sanitize.
|
||||
* @returns {string} The sanitized text.
|
||||
*/
|
||||
export function sanitizeForTranslation(text: string): string {
|
||||
// Add a non-breaking space so the regex doesn't trigger when translating.
|
||||
return text.replace(/%\(([^)]*)\)/g, '%\xa0($1)');
|
||||
}
|
||||
|
||||
/*
|
||||
* Similar to _t(), except only does substitutions, and no translation
|
||||
* @param {string} text The text, e.g "click <a>here</a> now to %(foo)s".
|
||||
|
|
|
@ -17,7 +17,7 @@ limitations under the License.
|
|||
import { IPreview } from "./IPreview";
|
||||
import { TagID } from "../models";
|
||||
import { MatrixEvent } from "matrix-js-sdk/src/models/event";
|
||||
import { _t } from "../../../languageHandler";
|
||||
import { _t, sanitizeForTranslation } from "../../../languageHandler";
|
||||
import { getSenderName, isSelf, shouldPrefixMessagesIn } from "./utils";
|
||||
import ReplyThread from "../../../components/views/elements/ReplyThread";
|
||||
import { getHtmlText } from "../../../HtmlUtils";
|
||||
|
@ -58,6 +58,8 @@ export class MessageEventPreview implements IPreview {
|
|||
body = getHtmlText(body);
|
||||
}
|
||||
|
||||
body = sanitizeForTranslation(body);
|
||||
|
||||
if (msgtype === 'm.emote') {
|
||||
return _t("* %(senderName)s %(emote)s", { senderName: getSenderName(event), emote: body });
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue