Harden t() with DOMPurify

This mitigates issues where developers pass untrusted user-input through t() which may lead to XSS issues. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
author: Lukas Reschke <lukas@statuscode.ch> 2017-03-16 13:47:27 +0100
committer: Lukas Reschke <lukas@statuscode.ch> 2017-03-16 14:17:42 +0100
commit: 6c8d48b0f6faac5d5b832a70d0245941a912f78b (patch)
tree: 205372ba1259b2b70ac6cf470bfd599127e8d6cb /core/js/tests/specs/l10nSpec.js
parent: 793d7d1bd75ef1e35cc29aef5ac03dc95aa248bb (diff)
download: nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.tar.gz
nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/core/js/tests/specs/l10nSpec.js b/core/js/tests/specs/l10nSpec.js
index 064b27aa34a..3dd1fa268ef 100644
--- a/core/js/tests/specs/l10nSpec.js
+++ b/core/js/tests/specs/l10nSpec.js
@@ -53,6 +53,11 @@ describe('OC.L10N tests', function() {
 				t(TEST_APP, 'Hello {name}', {name: '<strong>Steve</strong>'}, null, {escape: false})
 			).toEqual('Hello <strong>Steve</strong>');
 		});
+		it('uses DOMPurify to escape the text', function() {
+			expect(
+				t(TEST_APP, '<strong>These are your search results<script>alert(1)</script></strong>', null, {escape: false})
+			).toEqual('<strong>These are your search results</strong>');
+		});
 		it('keeps old texts when registering existing bundle', function() {
 			OC.L10N.register(TEST_APP, {
 				'sunny': 'sonnig',
author	Lukas Reschke <lukas@statuscode.ch>	2017-03-16 13:47:27 +0100
committer	Lukas Reschke <lukas@statuscode.ch>	2017-03-16 14:17:42 +0100
commit	6c8d48b0f6faac5d5b832a70d0245941a912f78b (patch)
tree	205372ba1259b2b70ac6cf470bfd599127e8d6cb /core/js/tests/specs/l10nSpec.js
parent	793d7d1bd75ef1e35cc29aef5ac03dc95aa248bb (diff)
download	nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.tar.gz nextcloud-server-6c8d48b0f6faac5d5b832a70d0245941a912f78b.zip