From adfd54eaea607186529440982e2721df0be8daf0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Gr=C3=A9goire=20Aubert?= Date: Fri, 12 Feb 2021 10:17:54 +0100 Subject: [PATCH] Fix SSF-139 --- server/sonar-web/src/main/js/helpers/__tests__/l10n-test.ts | 5 +++++ server/sonar-web/src/main/js/helpers/l10n.ts | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/server/sonar-web/src/main/js/helpers/__tests__/l10n-test.ts b/server/sonar-web/src/main/js/helpers/__tests__/l10n-test.ts index cf5d1769e2b..875921a4f99 100644 --- a/server/sonar-web/src/main/js/helpers/__tests__/l10n-test.ts +++ b/server/sonar-web/src/main/js/helpers/__tests__/l10n-test.ts @@ -67,6 +67,11 @@ describe('#translateWithParameters', () => { ); }); + it('should not be affected by replacement pattern XSS vulnerability of String.replace', () => { + resetBundle({ y_apples: 'I have {0} apples' }); + expect(translateWithParameters('y_apples', '$`')).toBe('I have $` apples'); + }); + it('should not translate message but return its key', () => { expect(translateWithParameters('random', 5)).toBe('random.5'); expect(translateWithParameters('random', 1, 2, 3)).toBe('random.1.2.3'); diff --git a/server/sonar-web/src/main/js/helpers/l10n.ts b/server/sonar-web/src/main/js/helpers/l10n.ts index 6e13e95de91..bbffbaa76a1 100644 --- a/server/sonar-web/src/main/js/helpers/l10n.ts +++ b/server/sonar-web/src/main/js/helpers/l10n.ts @@ -62,7 +62,7 @@ export function translateWithParameters( if (message) { return parameters .map(parameter => String(parameter)) - .reduce((acc, parameter, index) => acc.replace(`{${index}}`, parameter), message); + .reduce((acc, parameter, index) => acc.replace(`{${index}}`, () => parameter), message); } else { if (process.env.NODE_ENV === 'development') { // eslint-disable-next-line -- 2.39.5