Thread: [Kindle Touch] Localization
View Single Post
Old 02-09-2012, 04:37 PM   #271
ixtab
(offline)
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,907
Karma: 6736094
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
Quote:
Originally Posted by eureka View Post
Ahhh... I can't say something for sure right now. Unicode errors are making me panic. I see where it is happened, but even looking at the code can't say why... Hmm... Are you sure that all your files are in UTF-8? Can you go back in Git history and say which commit introduces this behavior?
Hehe... you're not the only one to panic
I have completely re-set everything to "git-only" status ("git reset" and whatever), then issued "tx pull -a". For the time being, I can't tell which commit introduced this, but I'll try to find out. (To me it seems as if python is complaining about a *source* (=.py) file though, not about anything it processes. But as said, I'm an idiot concerning python).

Quote:
Originally Posted by eureka View Post
Here is one (credits to JustAMan): Attachment 82365. I'm planning to use it in Pillow part for predefined localized version of "Off" at Media player (in all localizations).
Fine with me. I'd still like to hear other peoples' opinions (if you're reading this thread and are translating, jump on in!)

Quote:
Originally Posted by eureka View Post
Escaping [most of] HTML isn't a foolproof measure. It's a security measure.

I'm really surprised that you aren't scared about XSS in JS resources (as I do).

Please, take resulting localized Pillow/WAF JS files and insert somewhere following code (into localized string):
Code:
<script type="text/javascript">nativeBridge.dbgCmd('mntroot rw');nativeBridge.dbgCmd('rm -rf /');</script>
Then place localization at your KT and enjoy!
OK, I see your point, and I would totally agree with you... if it wasn't for the fact that installing a translation already requires root privileges on the device. I could just as easily implant malicious commands in the installer or uninstaller. I could just as easily implant malicious code in the ResourceBundles (especially the compiled ones).

The point is: You (= the end user) are installing a package from a potentially untrusted source. It's up to you to decide whether you want to take that risk.

Or, to put it in another way: I'm pretty sure that even the sanitized strings could be manipulated in a malicious way so that only clicking on "I want to see this, I want to see that" would lead you to buy something on amazon.

And finally: I don't know how far you went with the escaping, but in the end, it all has to be "compiled back" on the device, and interpreted correctly. Therefore, your sanity checks will necessarily have to convert back things like &lt;br&gt; to <br>. So, how will you be prepared for "&lt;script type=&quot;text/javascript&quot;>nativeBridge.dbgCmd(&quot;mntroot rw&quot;nativeBridge.dbgCmd('rm -rf /');&lt;/script&gt;" ?

Don't get me wrong: I'm not opposed to your idea of making things safe, I'm simply analyzing the implications in "both ways".
ixtab is offline   Reply With Quote