From 4bef27db8218670fcd3ab72e6d190e0044d4cd33 Mon Sep 17 00:00:00 2001
From: Martin Raifer <martin@raifer.tech>
Date: Tue, 30 Nov 2021 10:33:55 +0100
Subject: [PATCH] add to changelog, mark t.html as deprecated

---
 CHANGELOG.md              | 6 ++++++
 modules/core/localizer.js | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dbe049cbc..e224b6e19 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ _Breaking developer changes, which may affect downstream projects or sites that
 ##### YYYY-MMM-DD
 
 #### :newspaper: News
+#### :shield: Security
 #### :mega: Release Highlights
 #### :boom: Breaking Changes
 #### :tada: New Features
@@ -41,6 +42,8 @@ _Breaking developer changes, which may affect downstream projects or sites that
 
 #### :newspaper: News
 * We maintain a running changelog now! Upcoming changes will be added to the _[Unreleased](#Unreleased)_ section of this changelog as soon as they are ready in the [development version](https://ideditor.netlify.app/) of the iD editor. ([#8805])
+#### :shield: Security
+* Fix missing escaping of external texts and content such as OSM user names, OSM tags, etc. which had opened a way to inject arbitrary HTML into the iD editor, potentially making XSS attacks possible. ([#8813])
 #### :boom: Breaking Changes
 #### :tada: New Features
 #### :sparkles: Usability & Accessibility
@@ -55,6 +58,7 @@ _Breaking developer changes, which may affect downstream projects or sites that
 * Fix glitching out turn restriction minimap on narrow sidebars ([#8792])
 * Fix a bug which made it impossible to switch to a custom TMS imagery layer after using a custom WMS source and vice versa ([#8057])
 #### :earth_asia: Localization
+* deprecate ~`t.html`~ for providing localized texts, which is replaced by the new method `t.append` which directly and safely appends the localized strings to the DOM. ([#8817])
 #### :hourglass: Performance
 #### :mortar_board: Walkthrough / Help
 #### :rocket: Presets
@@ -71,6 +75,8 @@ _Breaking developer changes, which may affect downstream projects or sites that
 [#8800]: https://github.com/openstreetmap/iD/pull/8800
 [#8805]: https://github.com/openstreetmap/iD/issues/8805
 [#8807]: https://github.com/openstreetmap/iD/issues/8807
+[#8813]: https://github.com/openstreetmap/iD/issues/8813
+[#8817]: https://github.com/openstreetmap/iD/pull/8817
 
 # 2.20.2
 ##### 2021-Oct-28
diff --git a/modules/core/localizer.js b/modules/core/localizer.js
index b3a1489c0..15f185844 100644
--- a/modules/core/localizer.js
+++ b/modules/core/localizer.js
@@ -349,6 +349,10 @@ export function coreLocalizer() {
     };
 
     // Returns the localized text wrapped in an HTML element encoding the locale info
+    /**
+     * @deprecated This method is considered deprecated. Instead, use the direct DOM manipulating
+     *             method `t.append`.
+     */
     localizer.t.html = function(stringId, replacements, locale) {
       // replacement string might be html unsafe, so we need to escape it except if it is explicitly marked as html code
       replacements = Object.assign({}, replacements);