fix(core): Do not use `v-html` for translation output

The content that can be renderered does *not* include HTML (see
`recommended` object).
But `v-html` was used, this is potentially dangerous, even though we
sanitize the translation values, so no urgent harm but better safe than
sorry.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

diff --git a/core/src/components/setup/RecommendedApps.vue b/core/src/components/setup/RecommendedApps.vue
index 29ad04bcfe07e50697f684299a5c18e2559c6b32..066c0c64a799ee470b076d36916e158552e4f4bb 100644 (file)
--- a/core/src/components/setup/RecommendedApps.vue
+++ b/core/src/components/setup/RecommendedApps.vue
@@ -18,7 +18,7 @@
                                <img :src="customIcon(app.id)" alt="">
                                <div class="info">
                                        <h3>{{ customName(app) }}</h3>
-                                       <p v-html="customDescription(app.id)" />
+                                       <p v-text="customDescription(app.id)" />
                                        <p v-if="app.installationError">
                                                <strong>{{ t('core', 'App download or installation failed') }}</strong>
                                        </p>