You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently pushed a PR that implemented the escapeParameterHtml flag. In using this flag I have noticed one undesired side effect: In some cases it's hard to avoid a "double-escape" scenario, i.e.:
<div text="$t('some_resource_with_foo_variable', {foo: 'a & b'}" />
Yields the following:
a & b
A mitigation would be to use v-html in the div tag but it feels like suggesting that would cause more harm than benefit. By not escaping the & symbol we we avoid this situation. This proposed change also converts this functionality into an idempotent one, i.e. the escape operation can be performed multiple times without producing multi-escaped output.
The negative security impact is minimal since a) we are already escaping the < and > symbols and b) this flag was introduced very recently and likely still has little usage.
The text was updated successfully, but these errors were encountered:
gardarh
pushed a commit
to gardarh/vue-i18n
that referenced
this issue
Oct 19, 2020
I recently pushed a PR that implemented the
escapeParameterHtml
flag. In using this flag I have noticed one undesired side effect: In some cases it's hard to avoid a "double-escape" scenario, i.e.:Yields the following:
A mitigation would be to use
v-html
in the div tag but it feels like suggesting that would cause more harm than benefit. By not escaping the&
symbol we we avoid this situation. This proposed change also converts this functionality into an idempotent one, i.e. the escape operation can be performed multiple times without producing multi-escaped output.The negative security impact is minimal since a) we are already escaping the
<
and>
symbols and b) this flag was introduced very recently and likely still has little usage.The text was updated successfully, but these errors were encountered: