Disabled html_escape with translations.

zena · Sep 5, 2012 · 3b97bcf · 3b97bcf
1 parent 78ec11e
commit 3b97bcf
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 9 deletions.
diff --git a/lib/zafu/process/ruby_less_processing.rb b/lib/zafu/process/ruby_less_processing.rb
@@ -241,11 +241,6 @@ def rubyless_expand(res)
           if res.klass == String && !@blocks.detect {|b| !b.kind_of?(String)}
             if lit = res.literal
               out param(:h) == 'false' ? erb_escape(lit) : ::ERB::Util.html_escape(lit)
-            # TODO: Enable this when we have time to ensure tests/functionality work correctly.
-            #elsif res.opts[:h]
-            #  show_string(res)
-            elsif res.opts[:html_safe]
-              out "<%= #{res} %>"
             else
               show_string(res)
             end

diff --git a/lib/zena/use/display.rb b/lib/zena/use/display.rb
@@ -699,7 +699,7 @@ def r_prop_grid
 
         # Also used by rubyless_expand
         def show_string(method)
-          if param(:h) == 'false'
+          if param(:h) == 'false' || (method.kind_of?(RubyLess::TypedString) && method.opts[:html_safe])
             "<%= #{method} %>"
           else
             "<%=h #{method} %>"

diff --git a/lib/zena/use/i18n.rb b/lib/zena/use/i18n.rb
@@ -14,7 +14,7 @@ class TranslationDict
         include RubyLess
 
         # never returns nil
-        safe_method [:get, String] => {:class => String, :accept_nil => true}
+        safe_method [:get, String] => {:class => String, :accept_nil => true, :html_safe => true}
 
         def initialize(node_id, static = nil)
           @node_id = node_id
@@ -27,6 +27,7 @@ def get(key, use_global = true)
         end
 
         def get_without_loading(key, use_global = true)
+          # SECURITY: We consider all strings in dictionaries as SAFE.
           @dict[key] || (use_global && ApplicationController.send(:_, key))
         end
 
@@ -349,12 +350,14 @@ def translate(signature, receiver = nil)
             { :class  => String,
               :method => "#{dict}.get",
               :accept_nil => true,
+              :html_safe  => true,
               :pre_processor => Proc.new {|this, str| trans(str)}
             }
           else
             { :class  => String,
               :method => 'trans',
               :accept_nil => true,
+              :html_safe  => true,
               :pre_processor => Proc.new {|this, str| trans(str)}
             }
           end
@@ -367,7 +370,7 @@ def trans(text, use_global = true)
             # will call ApplicationController(:_) if key is not found
             dict.get(text, use_global)
           elsif use_global
-            helper.send(:_, text)
+            ::ERB::Util.html_escape(helper.send(:_, text))
           else
             nil
           end

diff --git a/test/integration/zafu_compiler/i18n.yml b/test/integration/zafu_compiler/i18n.yml
@@ -67,7 +67,7 @@ trans_rubyless_attr:
   context:
     lang: 'fr'
   src: "<p do=\"trans(v.lang)\"/>"
-  tem: "<p><%=h trans(@node.version.lang) %></p>"
+  tem: "<p><%= trans(@node.version.lang) %></p>"
   res: "<p>français</p>"
 
 trans_attr:
@@ -97,6 +97,11 @@ trans_literal_string:
 trans_block:
   src: "<r:t>en</r:t>"
   tem: "english"
+
+link_trans:
+  # SECURITY: translation **REMOVES** html_escape (because the dictionary can contain JS or images).
+  src: "<r:link do='t' text='#{title}'/>"
+  tem: "<a href='<%= zen_path(@node) %>'><%= trans(\"#{@node.prop['title']}\") %></a>"
 
 lang_links:
   src: "<div id='lang' do='lang_links'><a>en</a> | <b>fr</b></div>"