Explicitely escape user data in translations to avoid XSS

This commit is contained in:
Bat 2018-06-26 17:58:11 +02:00
parent a7b246b726
commit a8b47de28b
5 changed files with 8 additions and 8 deletions

View File

@ -60,13 +60,13 @@ msgstr ""
msgid "Let's go!"
msgstr ""
msgid "Welcome on {{ instance_name }}"
msgid "Welcome on {{ instance_name | escape }}"
msgstr ""
msgid "Notifications"
msgstr ""
msgid "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name }}{{ link_3 }}"
msgid "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}"
msgstr ""
msgid "This article is under the {{ license }} license."
@ -180,7 +180,7 @@ msgstr ""
msgid "Update account"
msgstr ""
msgid "{{ name }}'s followers"
msgid "{{ name | escape }}'s followers"
msgstr ""
msgid "Followers"
@ -249,7 +249,7 @@ msgstr ""
msgid "You need to be logged in order to edit your profile"
msgstr ""
msgid "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name }}{{ link_4 }}"
msgid "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name | escape }}{{ link_4 }}"
msgstr ""
msgid "{{ data }} reshared your article"

View File

@ -6,7 +6,7 @@
{% endblock title %}
{% block content %}
<h1>{{ "Welcome on {{ instance_name }}" | _(instance_name=instance.name) }}</h1>
<h1>{{ "Welcome on {{ instance_name | escape }}" | _(instance_name=instance.name) }}</h1>
<h2>{{ "Latest articles" | _ }}</h2>
<div class="cards">

View File

@ -10,7 +10,7 @@
<p>{{ article.post.content | safe | striptags | truncate(length=200) }}</p>
</main>
<p class="author">
{{ "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name }}{{ link_4 }}" | _(
{{ "By {{ link_1 }}{{ link_2 }}{{ link_3 }}{{ name | escape }}{{ link_4 }}" | _(
link_1='<a href="/@/',
link_2=article.author.fqn,
link_3='/">',

View File

@ -18,7 +18,7 @@
{% set name = author.username %}
{% endif %}
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name }}{{ link_3 }}" | _(
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}" | _(
link_1='<a href="/@/',
url=author.fqn,
link_2='/">',

View File

@ -7,7 +7,7 @@
{% set name = user.username %}
{% endif %}
{{ "{{ name }}'s followers" | _(name=name) }}
{{ "{{ name | escape }}'s followers" | _(name=name) }}
{% endblock title %}
{% block content %}