Fix Interpolator.escapeValue defaulting to undefined in some cases #826

Merged
merged 2 commits into from Oct 17, 2016

Projects

None yet

3 participants

@alexmchardy

I found that if I pass any interpolation options without including escapeValue, this.escapeValue will get set to undefined in Interpolator. The documentation indicates escapeValue defaults to true, so this could cause variables to not be escaped as expected in some cases.

This config, for example, will result in i18next not escaping variables as expected:

i18next.init({
  interpolation: {
    prefix: "__",
    suffix: "__"
  },
  ...
});

It's worth noting that it could potentially be a XSS security issue for users of i18next if they believe variables are getting escaped when they actually aren't.

Alex McHardy added some commits Oct 13, 2016
Alex McHardy Add tests around Interpolator options dd43a83
Alex McHardy Make interpolation.escapeValue always default to true
d367309
@alexmchardy

BTW, for bonus points, I added a bunch of tests around the Interpolator options.

@coveralls

Coverage Status

Coverage remained the same at 64.852% when pulling d367309 on alexmchardy:fix-interpolation-escapevalue-default into dbf3693 on i18next:master.

@jamuhl jamuhl merged commit 11f0595 into i18next:master Oct 17, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 64.852%
Details
@jamuhl
Member
jamuhl commented Oct 17, 2016

thanks a lot: merged and published in i18next@3.4.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment