fix(core): Do not use `v-html` for translation output

The content that can be renderered does *not* include HTML (see
`recommended` object).
But `v-html` was used, this is potentially dangerous, even though we
sanitize the translation values, so no urgent harm but better safe than
sorry.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

diff --git a/core/src/components/setup/RecommendedApps.vue b/core/src/components/setup/RecommendedApps.vue
index 9bab568a924e0494ed8a8ad30360959ad223bac7..d6600ee35d5ef8f11eb408e0ee7c13a29aaaef1d 100644 (file)
--- a/core/src/components/setup/RecommendedApps.vue
+++ b/core/src/components/setup/RecommendedApps.vue
@@ -18,7 +18,7 @@
                                <img :src="customIcon(app.id)" alt="">
                                <div class="info">
                                        <h3>{{ customName(app) }}</h3>
-                                       <p v-html="customDescription(app.id)" />
+                                       <p v-text="customDescription(app.id)" />
                                        <p v-if="app.installationError">
                                                <strong>{{ t('core', 'App download or installation failed') }}</strong>
                                        </p>