Harden t() with DOMPurify

This mitigates issues where developers pass untrusted user-input through t() which may lead to XSS issues. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
author: Lukas Reschke <lukas@statuscode.ch> 2017-03-16 13:47:27 +0100
committer: Lukas Reschke <lukas@statuscode.ch> 2017-03-16 14:17:42 +0100
commit: 6c8d48b0f6faac5d5b832a70d0245941a912f78b (patch)
tree: 205372ba1259b2b70ac6cf470bfd599127e8d6cb /core/js/l10n.js
parent: 793d7d1bd75ef1e35cc29aef5ac03dc95aa248bb (diff)
download: nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.tar.gz
nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/core/js/l10n.js b/core/js/l10n.js
index 43cfc7e820f..77f771a20b3 100644
--- a/core/js/l10n.js
+++ b/core/js/l10n.js
@@ -155,12 +155,12 @@ OC.L10N = {
 					var r = vars[b];
 					if(typeof r === 'string' || typeof r === 'number') {
 						if(allOptions.escape) {
-							return escapeHTML(r);
+							return DOMPurify.sanitize(escapeHTML(r));
 						} else {
-							return r;
+							return DOMPurify.sanitize(r);
 						}
 					} else {
-						return a;
+						return DOMPurify.sanitize(a);
 					}
 				}
 			);
@@ -173,9 +173,9 @@ OC.L10N = {
 		}
 
 		if(typeof vars === 'object' || count !== undefined ) {
-			return _build(translation, vars, count);
+			return DOMPurify.sanitize(_build(translation, vars, count));
 		} else {
-			return translation;
+			return DOMPurify.sanitize(translation);
 		}
 	},
author	Lukas Reschke <lukas@statuscode.ch>	2017-03-16 13:47:27 +0100
committer	Lukas Reschke <lukas@statuscode.ch>	2017-03-16 14:17:42 +0100
commit	6c8d48b0f6faac5d5b832a70d0245941a912f78b (patch)
tree	205372ba1259b2b70ac6cf470bfd599127e8d6cb /core/js/l10n.js
parent	793d7d1bd75ef1e35cc29aef5ac03dc95aa248bb (diff)
download	nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.tar.gz nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.zip