[FEATURE REQUEST] escape parameters when using v-html

[darkylmnx]

I would like you to consider escaping parameters passed to the $t method.

Why ?

When, we want to use html in translations, we have to use v-html right ? But what if we pass a parameter which comes from the user ? Then that's the opened door to XSS

Example :

// my translations would contain something like
var fr = {
 "hello": "Hello <strong>{name}</strong>, how are you today ?"
}

// lets assume here that "username" contains "thomas petrov"
<div v-html="$t('hello', {name: username})"></div>
// here, no problem

// lets assume here that "username" contains "thomas <br> petrov"
<div v-html="$t('hello', {name: username})"></div>
// now we have a problem

I think all parameters must be filtered against XSS, or at least give an option to set global escape on parameters and locally escape them when needed too.

something like this : https://angular-translate.github.io/docs/#/guide/19_security

[kazupon]

v7.0.0-beta.1 release out!
please check it! :)
https://github.com/kazupon/vue-i18n/releases/tag/v7.0.0-beta.1