Quote:
Originally Posted by eureka
I've reproduced the error and think that it's fixed now (with a new commit).
|
Yep, checked out the new version and it's working again
Quote:
Originally Posted by eureka
I'm agreeing about overall insecureness of applying of localization bundle. So, in broad sense it means that my concerning about possible malicious exploiting of JS part is insignificant. But in a scope of js_resources tool, it's a bit different. I'm feeling some form of responsibility about my code and about results of it's work. I can't control input for js_resources tool (as it's taken directly from crowdsourced translations), but I can control it's output. So I'm trying to do my best in stripping possibly harmful parts from it's output.
I'm certainly not a security expert and I can't eliminate all "attack" vectors. But I don't want to ignore some trivial ones that I am able to notice.
The <br> tag will pass through without escaping (in extracting and in compiling). So will named HTML entities (like <, ", >).
|
I didn't take a deep look into the code, so if it does "reasonable" escaping, I'm perfectly fine with it. (as said, many of our previous "blacklist" attempts are similar in spirit). As long as "normal" (=non-malicious) translations work, this is absoutely fine. I would still like the default bookmarks to be customizable, though (don't know what the status is there).