Merge pull request #3158 from overleaf/as-fix-react-replacement-tag-sanitisation

Fix stripping of "replacement" tags in translation strings for react-i18next GitOrigin-RevId: a83ed2810689b00c85c34a47afc92462907fd5de
2024-11-07 20:31:06 -05:00 · 2020-09-03 08:45:29 -05:00 · 2020-09-03 08:45:29 -05:00 · bfb4da572b
commit bfb4da572b
parent a3243a881c
1 changed files with 23 additions and 1 deletions
--- a/services/web/scripts/translations/download.js
+++ b/services/web/scripts/translations/download.js
@ -44,9 +44,21 @@ async function run() {
 }
 run()

+/**
+ * Sanitize a translation string to prevent injection attacks
+ *
+ * @param {string} input
+ * @returns {string}
+ */
 function sanitize(input) {
  return sanitizeHtml(input, {
-    allowedTags: ['b', 'strong', 'a', 'code'],
+    // Allow "replacement" tags (in the format <0>, <1>, <2>, etc) used by
+    // react-i18next to allow for HTML insertion via the Trans component.
+    // See: https://github.com/overleaf/developer-manual/blob/master/code/translations.md
+    // Unfortunately the sanitizeHtml library does not accept regexes or a
+    // function for the allowedTags option, so we are limited to a hard-coded
+    // number of "replacement" tags.
+    allowedTags: ['b', 'strong', 'a', 'code', ...range(10)],
    allowedAttributes: {
      a: ['href', 'class']
    },
@ -57,3 +69,13 @@ function sanitize(input) {
    }
  })
 }
+
+/**
+ * Generate a range of numbers as strings up to the given size
+ *
+ * @param {number} size Size of range
+ * @returns {string[]}
+ */
+function range(size) {
+  return Array.from(Array(size).keys()).map(n => n.toString())
+}