Changes interpolation strategy to sanitize

Adds ngSanitize so we can use HTML in translation strings, changes angular-translate's sanitization strategy to `sanitize` instead of `escape`. My motivation here is to make the translation strings be non-ridiculous. Without being able to inject un-escaped HTML into the translation, we end up chopping up the translation keys to the point where they're not comprehensible within lokalise, and doing weird gymnastics in the angular template like `<span translate>key</span>: <strong translate>value</strong>` because both are contained within the same parent. The cost here is that there's an [open bug on angular-translate][1] for the `sanitize` strategy where unicode gets double-encoded. I tried `sce` as a strategy, but it seemed open to XSS (ie. include `<script>alert('xss')</script>` in a translation and you'll see the alert. The `sanitize` strategy successfully killed this vector). The cost here is that as much as possible we need to use the `<tag translate>` form instead of the `{$ 'string' | translate $}` form. For the most part, we're not translating arbitrary user input, but no sense in leaving that door open for us to forget about down the road. [1]: angular-translate/angular-translate#1101
opengb · Nov 3, 2017 · dc3c38c · dc3c38c
1 parent c4604d7
commit dc3c38c
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/bower.json b/bower.json
@@ -36,7 +36,8 @@
     "angular-dragula": "^1.2.8",
     "ng-focus-if": "^1.0.7",
     "angular-translate": "^2.15.2",
-    "angular-translate-loader-static-files": "^2.15.2"
+    "angular-translate-loader-static-files": "^2.15.2",
+    "angular-sanitize": "^1.6.6"
   },
   "resolutions": {
     "angular": "~1.6.1",

diff --git a/seed/static/seed/js/seed.js b/seed/static/seed/js/seed.js
@@ -29,7 +29,8 @@ angular.module('BE.seed.vendor_dependencies', [
   'focus-if',
   'xeditable',
   angularDragula(angular),
-  'pascalprecht.translate'
+  'pascalprecht.translate',
+  'ngSanitize'
 ]);
 angular.module('BE.seed.controllers', [
   'BE.seed.controller.about',
@@ -1109,7 +1110,7 @@ SEED_app.config(['$translateProvider', function ($translateProvider) {
       'fr_*': 'fr_CA'
     })
     // see https://angular-translate.github.io/docs/#/guide/19_security
-    .useSanitizeValueStrategy('escape');
+    .useSanitizeValueStrategy('sanitize');
 
   $translateProvider.determinePreferredLanguage();
   moment.locale($translateProvider.preferredLanguage());

diff --git a/seed/templates/seed/base.html b/seed/templates/seed/base.html
@@ -121,6 +121,7 @@
         <script src="/static/vendors/bower_components/spin.js/spin.min.js"></script>
         <script src="/static/vendors/bower_components/angular-translate/angular-translate.min.js"></script>
         <script src="/static/vendors/bower_components/angular-translate-loader-static-files/angular-translate-loader-static-files.min.js"></script>
+        <script src="/static/vendors/bower_components/angular-sanitize/angular-sanitize.min.js"></script>
 
 
             {% ifequal FILE_UPLOAD_DESTINATION 'S3' %}