mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-07 20:31:06 -05:00
Merge pull request #3158 from overleaf/as-fix-react-replacement-tag-sanitisation
Fix stripping of "replacement" tags in translation strings for react-i18next GitOrigin-RevId: a83ed2810689b00c85c34a47afc92462907fd5de
This commit is contained in:
parent
a3243a881c
commit
bfb4da572b
1 changed files with 23 additions and 1 deletions
|
@ -44,9 +44,21 @@ async function run() {
|
|||
}
|
||||
run()
|
||||
|
||||
/**
|
||||
* Sanitize a translation string to prevent injection attacks
|
||||
*
|
||||
* @param {string} input
|
||||
* @returns {string}
|
||||
*/
|
||||
function sanitize(input) {
|
||||
return sanitizeHtml(input, {
|
||||
allowedTags: ['b', 'strong', 'a', 'code'],
|
||||
// Allow "replacement" tags (in the format <0>, <1>, <2>, etc) used by
|
||||
// react-i18next to allow for HTML insertion via the Trans component.
|
||||
// See: https://github.com/overleaf/developer-manual/blob/master/code/translations.md
|
||||
// Unfortunately the sanitizeHtml library does not accept regexes or a
|
||||
// function for the allowedTags option, so we are limited to a hard-coded
|
||||
// number of "replacement" tags.
|
||||
allowedTags: ['b', 'strong', 'a', 'code', ...range(10)],
|
||||
allowedAttributes: {
|
||||
a: ['href', 'class']
|
||||
},
|
||||
|
@ -57,3 +69,13 @@ function sanitize(input) {
|
|||
}
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a range of numbers as strings up to the given size
|
||||
*
|
||||
* @param {number} size Size of range
|
||||
* @returns {string[]}
|
||||
*/
|
||||
function range(size) {
|
||||
return Array.from(Array(size).keys()).map(n => n.toString())
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue