Skip to content

Escape interpolated i18n params on innerHTML sinks#104

Open
boinger wants to merge 1 commit into
CNCKitchen:mainfrom
boinger:fix/i18n-escape-innerhtml-params
Open

Escape interpolated i18n params on innerHTML sinks#104
boinger wants to merge 1 commit into
CNCKitchen:mainfrom
boinger:fix/i18n-escape-innerhtml-params

Conversation

@boinger

@boinger boinger commented Jul 16, 2026

Copy link
Copy Markdown

Hardening, not a live vuln: t() does raw {placeholder} interpolation and four call sites assign the result to innerHTML (diag.recommendFix ×2, ui.smartResInfo, and the data-i18n-html branch of applyTranslations). All current params on those paths are toFixed() numbers, so nothing is exploitable today — but the first filename- or error-shaped param there becomes markup injection, and project files are shared between users.

tHtml() escapes param values only; templates stay raw since data-i18n-html templates legitimately contain markup. t() is untouched, so text sinks (alert, textContent) keep displaying raw error messages. Convention going forward: innerHTML sinks use tHtml.

t() interpolates {placeholder}s unescaped and four call sites assign the
result to innerHTML. All current params are toFixed() numbers, so this is
hardening, not a live vuln. tHtml() escapes params only (templates keep
their markup); t() unchanged so alert/textContent keep raw err.message.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant