Fix XSS vulnerability

flarum · Jun 6, 2021 · 440bed8 · 440bed8 · davwheat · Jun 7, 2021
1 parent eeb8fe1
commit 440bed8
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/js/src/common/Translator.ts → js/src/common/Translator.tsx b/js/src/common/Translator.ts → js/src/common/Translator.tsx
@@ -48,12 +48,23 @@ export default class Translator {
     // future there should be a hook here to inspect the user and change the
     // translation key. This will allow a gender property to determine which
     // translation key is used.
+
     if ('user' in parameters) {
       const user = extract(parameters, 'user');
 
       if (!parameters.username) parameters.username = username(user);
     }
-    return parameters;
+
+    const escapedParameters: TranslatorParameters = {};
+
+    for (const param in parameters) {
+      const paramValue = parameters[param];
+
+      if (typeof paramValue === 'string') escapedParameters[param] = <>{parameters[param]}</>;
+      else escapedParameters[param] = parameters[param];
+    }
+
+    return escapedParameters;
   }
 
   trans(id: string, parameters: TranslatorParameters = {}) {