Merge pull request #6525 from overleaf/jpa-harden-translations-sanitize

[web] scripts/translations: sanitize: double down on angular xss GitOrigin-RevId: d08deab392942e593e920e648118f0e196af1740
2024-11-07 20:31:06 -05:00 · 2022-02-02 11:24:45 +01:00 · 2022-02-02 11:24:45 +01:00 · 22ee7d6da2
commit 22ee7d6da2
parent 58cf92620a
1 changed files with 3 additions and 0 deletions
--- a/services/web/scripts/translations/sanitize.js
+++ b/services/web/scripts/translations/sanitize.js
@ -25,6 +25,9 @@ function sanitize(input) {
      a: ['href', 'class'],
    },
    textFilter(text) {
+      // Block Angular XSS
+      if (text === '{') return '&#123;'
+      if (text === '}') return '&#125;'
      return text
        .replace(/\{\{/, '&#123;&#123;')
        .replace(/\}\}/, '&#125;&#125;')