Merge pull request #3032 from owncloud/tech-debt/escaping-translations

Escaping translations
owncloud · Feb 13, 2020 · 6d85da1 · 6d85da1
2 parents 92e9031 + 3fc541c
commit 6d85da1
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 6 deletions.
diff --git a/apps/files/src/components/Collaborators/Collaborator.vue b/apps/files/src/components/Collaborators/Collaborator.vue
@@ -125,7 +125,7 @@ export default {
         return null
       }
       const translated = this.$gettext('Via %{folderName}')
-      return this.$gettextInterpolate(translated, { folderName: basename(this.collaborator.info.path) }, false)
+      return this.$gettextInterpolate(translated, { folderName: basename(this.collaborator.info.path) }, true)
     },
 
     $_viaRouterParams () {

diff --git a/apps/files/src/components/FileOpenActions.vue b/apps/files/src/components/FileOpenActions.vue
@@ -39,7 +39,7 @@ export default {
   computed: {
     $_label () {
       const translated = this.$gettext('Open %{fileName} in')
-      return this.$gettextInterpolate(translated, { fileName: this.filename })
+      return this.$gettextInterpolate(translated, { fileName: this.filename }, true)
     },
 
     $_closeActionsButtonLabel () {

diff --git a/apps/files/src/components/FileSharingSidebar.vue b/apps/files/src/components/FileSharingSidebar.vue
@@ -258,7 +258,7 @@ export default {
     },
     noResharePermsMessage () {
       const translated = this.$gettext('You don\'t have permission to share this %{type}.')
-      return this.$gettextInterpolate(translated, { type: this.highlightedFile.type })
+      return this.$gettextInterpolate(translated, { type: this.highlightedFile.type }, false)
     }
   },
   watch: {

diff --git a/apps/files/src/components/PublicLinks/FilesDrop.vue b/apps/files/src/components/PublicLinks/FilesDrop.vue
@@ -79,7 +79,7 @@ export default {
       // share might not be loaded
       if (this.share) {
         const translated = this.$gettext('%{owner} shared this folder with you for uploading')
-        return this.$gettextInterpolate(translated, { owner: this.share.getProperty(this.$client.publicFiles.PUBLIC_LINK_SHARE_OWNER) })
+        return this.$gettextInterpolate(translated, { owner: this.share.getProperty(this.$client.publicFiles.PUBLIC_LINK_SHARE_OWNER) }, true)
       }
       return ''
     },
@@ -167,7 +167,7 @@ export default {
 
     $_ocUploadingFileMessage (fileName) {
       const translated = this.$gettext('Uploading file "%{fileName}"')
-      return this.$gettextInterpolate(translated, { fileName })
+      return this.$gettextInterpolate(translated, { fileName }, true)
     }
   }
 }

diff --git a/apps/files/src/components/PublicLinksSidebar/PublicLinkListItem.vue b/apps/files/src/components/PublicLinksSidebar/PublicLinkListItem.vue
@@ -94,7 +94,7 @@ export default {
         return null
       }
       const translated = this.$gettext('Via %{folderName}')
-      return this.$gettextInterpolate(translated, { folderName: basename(this.link.info.path) }, false)
+      return this.$gettextInterpolate(translated, { folderName: basename(this.link.info.path) }, true)
     },
     $_viaRouterParams () {
       const viaPath = this.link.info.path

diff --git a/changelog/unreleased/3032 b/changelog/unreleased/3032
@@ -0,0 +1,7 @@
+Bugfix: Properly manage escaping of all translations
+
+We've stopped escaping translations which contained resource names or user names because they can contain special characters which were then not properly displayed.
+We've done this only with translations which are using mustache syntax which does escaping on its own so we don't introduce poteintial XSS vulnerability.
+For all other translations, we've explicitly set the escaping.
+
+https://github.com/owncloud/phoenix/pull/3032