Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reimplement XSS-vulnerable sequential replacement code #443

Merged
merged 1 commit into from Oct 19, 2015

Conversation

KJTsanaktsidis
Copy link
Contributor

The interpolation resolution code inside translate.js is looping over
each key in the interpolation dictionary and applying the replacements
one at a time. This means that if untrusted user input contains the name
of another key in the dictionary, for example '__lastName__', an
unexpected interpolation can happen:

i18n.t('__firstName__ __lastName__', {
    firstName: '__lastName__',
    lastName: 'foo',
});
// equals "foo foo"

This combines with the unescaping suffix feature to cause XSS injection,
even with escapeInterpolation set to true. For example,

i18n.t('__firstName__ __lastName__', {
    escapeInterpolation: true,
    firstName: '__lastNameHTML__',
    lastName: '<script>',
});
// equals "<script> &lt;script&gt;"

This PR fixes that by performing the replacements all at the same
time
. This means that untrusted input cannot cause these unexpected
extra interpolations.

The interpolation resolution code inside translate.js is looping over
each key in the interpolation dictionary and applying the replacements
one at a time. This means that if untrusted user input contains the name
of another key in the dictionary, for example '__lastName__, an
unexpected interpolation can happen:

````
i18n.t('__firstName__ __lastName__', {
    firstName: '__lastName__',
    lastName: 'foo',
});
// equals "foo foo"
````

This combines with the unescaping suffix feature to cause XSS injection,
even with escapeInterpolation set to true. For example,

````
i18n.t('__firstName__ __lastName__', {
    escapeInterpolation: true,
    firstName: '__lastNameHTML__',
    lastName: '<script>',
});
// equals "<script> &lt;script&gt;"
````

This PR fixes that by performing the replacements *all at the same
time*. This means that untrusted input cannot cause these unexpected
extra interpolations.
@jamuhl
Copy link
Member

jamuhl commented Oct 18, 2015

will be merged asap...hopefully on monday. will release updated versions. thanks again for finding and solving that one.

@jamuhl jamuhl merged commit 34e8e13 into i18next:master Oct 19, 2015
@jamuhl
Copy link
Member

jamuhl commented Oct 19, 2015

update is out v1.10.3

@jamuhl
Copy link
Member

jamuhl commented Oct 19, 2015

thanks again for finding and fast fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants