Skip to content

fix(core): Do not use v-html for translation output #49346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skjnldsv merged 2 commits into from
Nov 19, 2024
Merged

fix(core): Do not use v-html for translation output #49346

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
52769a4
fix(core): Do not use `v-html` for translation output
susnux Nov 18, 2024
2887c16
chore(assets): Recompile assets
nextcloud-command Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
fix(core): Do not use v-html for translation output 
The content that can be renderered does *not* include HTML (see
`recommended` object).
But `v-html` was used, this is potentially dangerous, even though we
sanitize the translation values, so no urgent harm but better safe than
sorry.

Signed-off-by: Ferdinand Thiessen <[email protected]>
  • Loading branch information
@susnux @nextcloud-command
susnux authored and nextcloud-command committed Nov 19, 2024
commit 52769a47ed378d914ce2d6a555536a7d6adc26b1
2 changes: 1 addition & 1 deletion core/src/components/setup/RecommendedApps.vue
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
<img :src="customIcon(app.id)" alt="">
<div class="info">
<h3>{{ customName(app) }}</h3>
<p v-html="customDescription(app.id)" />
<p v-text="customDescription(app.id)" />
<p v-if="app.installationError">
<strong>{{ t('core', 'App download or installation failed') }}</strong>
</p>
Expand Down