Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Interpolator.escapeValue defaulting to undefined in some cases #826

Merged

Conversation

alexmchardy
Copy link

I found that if I pass any interpolation options without including escapeValue, this.escapeValue will get set to undefined in Interpolator. The documentation indicates escapeValue defaults to true, so this could cause variables to not be escaped as expected in some cases.

This config, for example, will result in i18next not escaping variables as expected:

i18next.init({
  interpolation: {
    prefix: "__",
    suffix: "__"
  },
  ...
});

It's worth noting that it could potentially be a XSS security issue for users of i18next if they believe variables are getting escaped when they actually aren't.

@alexmchardy
Copy link
Author

BTW, for bonus points, I added a bunch of tests around the Interpolator options.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 64.852% when pulling d367309 on alexmchardy:fix-interpolation-escapevalue-default into dbf3693 on i18next:master.

@jamuhl jamuhl merged commit 11f0595 into i18next:master Oct 17, 2016
@jamuhl
Copy link
Member

jamuhl commented Oct 17, 2016

thanks a lot: merged and published in i18next@3.4.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants