@ixtab, please, don't include Pillow and WAF resources to your [automatically built] snapshots yet!!
(However, localization bundles built for testing purposes with manual checking of translated Pillow/WAF resources before building are OK.)
Pillow and WAF strings are used in HTML. They are possible source of XSS and I've overlooked this fact. I must implement some solution to filter these strings and leave only allowed HTML tags (so far, I've found two such tags in original JS files: <br> and <p>).
Also I've missed WAF's browser/readability/messages.js in extraction process. There is <a> tag in this file with embedded JavaScript as onClick handler. This embedded JavaScript probably should go into metadata...
|