localizer: escape placeholder replacement values in html output mode

2026-02-13 01:02:58 +00:00 · 2021-11-18 09:27:29 +01:00
parent e1dda082e0
commit 8bbae82caa
7 changed files with 40 additions and 17 deletions
--- a/data/core.yaml
+++ b/data/core.yaml
@@ -1000,7 +1000,7 @@ en:
      location: 'This feature was moved by both you and {user}.'
      nodelist: 'Nodes were changed by both you and {user}.'
      memberlist: 'Relation members were changed by both you and {user}.'
-      tags: 'You changed the <b>{tag}</b> tag to "{local}" and {user} changed it to "{remote}".'
+      tags: 'You changed the {tag} tag to "{local}" and {user} changed it to "{remote}".'
  success:
    just_edited: "You just edited OpenStreetMap!"
    thank_you: "Thank you for improving the map."
--- a/dist/locales/en.min.json
+++ b/dist/locales/en.min.json
--- a/modules/core/localizer.js
+++ b/modules/core/localizer.js
@@ -1,3 +1,5 @@
+import { escape } from 'lodash-es';
+
 import { fileFetcher } from './file_fetcher';
 import { utilDetect } from '../util/detect';
 import { utilStringQs } from '../util';
@@ -348,13 +350,24 @@ export function coreLocalizer() {

    // Returns the localized text wrapped in an HTML element encoding the locale info
    localizer.t.html = function(stringId, replacements, locale) {
-        const info = localizer.tInfo(stringId, replacements, locale);
-        // text may be empty or undefined if `replacements.default` is
-        return info.text ? localizer.htmlForLocalizedText(info.text, info.locale) : '';
-    };
+      // replacement string might be html unsafe, so we need to escape it except if it is explicitly marked as html code
+      replacements = Object.assign({}, replacements);
+      for (var k in replacements) {
+        if (typeof replacements[k] === 'string') {
+          replacements[k] = escape(replacements[k]);
+        }
+        if (typeof replacements[k] === 'object' && typeof replacements[k].html === 'string') {
+          replacements[k] = replacements[k].html;
+        }
+      }

-    localizer.htmlForLocalizedText = function(text, localeCode) {
-        return `<span class="localized-text" lang="${localeCode || 'und'}">${text}</span>`;
+      const info = localizer.tInfo(stringId, replacements, locale);
+      // text may be empty or undefined if `replacements.default` is
+      if (info.text) {
+        return `<span class="localized-text" lang="${info.locale || 'und'}">${info.text}</span>`;
+      } else {
+        return '';
+      }
    };

    localizer.languageName = (code, options) => {
--- a/modules/ui/commit.js
+++ b/modules/ui/commit.js
@@ -302,12 +302,12 @@ export function uiCommit(context) {
            userLink
                .append('a')
                .attr('class', 'user-info')
-                .html(user.display_name)
+                .text(user.display_name)
                .attr('href', osm.userURL(user.display_name))
                .attr('target', '_blank');

            prose
-                .html(t.html('commit.upload_explanation_with_user', { user: userLink.html() }));
+                .html(t.html('commit.upload_explanation_with_user', { user: { html: userLink.html() } }));
        });


--- a/modules/ui/contributors.js
+++ b/modules/ui/contributors.js
@@ -39,7 +39,7 @@ export function uiContributors(context) {
            .attr('class', 'user-link')
            .attr('href', function(d) { return osm.userURL(d); })
            .attr('target', '_blank')
-            .html(String);
+            .text(String);

        if (u.length > limit) {
            var count = d3_select(document.createElement('span'));
@@ -54,11 +54,11 @@ export function uiContributors(context) {
                .html(othersNum);

            wrap.append('span')
-                .html(t.html('contributors.truncated_list', { n: othersNum, users: userList.html(), count: count.html() }));
+                .html(t.html('contributors.truncated_list', { n: othersNum, users: { html: userList.html() }, count: { html: count.html() } }));

        } else {
            wrap.append('span')
-                .html(t.html('contributors.list', { users: userList.html() }));
+                .html(t.html('contributors.list', { users: { html: userList.html() } }));
        }

        if (!u.length) {
--- a/modules/ui/note_editor.js
+++ b/modules/ui/note_editor.js
@@ -302,12 +302,12 @@ export function uiNoteEditor(context) {
            userLink
                .append('a')
                .attr('class', 'user-info')
-                .html(user.display_name)
+                .text(user.display_name)
                .attr('href', osm.userURL(user.display_name))
                .attr('target', '_blank');

            prose
-                .html(t.html('note.upload_explanation_with_user', { user: userLink.html() }));
+                .html(t.html('note.upload_explanation_with_user', { user: { html: userLink.html() } }));
        });
    }

--- a/modules/ui/tag_reference.js
+++ b/modules/ui/tag_reference.js
@@ -60,10 +60,20 @@ export function uiTagReference(what) {
            done();
        }

-        _body
+        var tagReferenceDescription = _body
            .append('p')
            .attr('class', 'tag-reference-description')
-            .html(docs.description ? localizer.htmlForLocalizedText(docs.description, docs.descriptionLocaleCode) : t.html('inspector.no_documentation_key'))
+            .append('span');
+        if (docs.description) {
+            tagReferenceDescription = tagReferenceDescription
+                .attr('class', 'localized-text')
+                .attr('lang', docs.descriptionLocaleCode || 'und')
+                .text(docs.description);
+        } else {
+            tagReferenceDescription = tagReferenceDescription
+                .html(t.html('inspector.no_documentation_key'));
+        }
+        tagReferenceDescription
            .append('a')
            .attr('class', 'tag-reference-edit')
            .attr('target', '_blank')