escape Message translate params value to prevent XSS attack (#554)

* runs params value through htmlspecialchars() to escape html content * add note about escaped content in translated messages * use Html::clean() instead of e() * Revert "add note about escaped content in translated messages" * escape params when translating messages; introduce transRaw method for legacy usage * Fix for #376 (#559) Fix for #376 * Add support for transOrderBy (#516) Add support for transOrderBy * update version file for 1.6.8 release * Disable safe mode checks for ML Static Pages. Fixes rainlab/pages-plugin#434. Refs: rainlab/pages-plugin#174, rainlab/pages-plugin@6b6b061 * Clear RainLab.Pages caches when saving a static page Fixes rainlab/pages-plugin#404 * Register asset bundle (#560) * make sure multi-lingual input form controls have padding-right of 44px * register asset bundle to process less files into css files * reposition language selector above textarea box * fix language selector position when commentAbove is defined * Update version file for 1.6.9 release * Fix error with casts fields default locale value (#556) * only call setLocale() if locale has changed (#561) * remove unused module Co-authored-by: Siarhei Karavai <[email protected]> Co-authored-by: Aurélien Roy <[email protected]> Co-authored-by: Ben Thomson <[email protected]> Co-authored-by: Luke Towers <[email protected]> Co-authored-by: Trysystems <[email protected]>
rainlab · Mar 20, 2020 · 4a3d601 · 4a3d601
1 parent c1d4726
commit 4a3d601
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/Plugin.php b/Plugin.php
@@ -238,6 +238,8 @@ public function registerMarkupTags()
             'filters' => [
                 '_'  => [$this, 'translateString'],
                 '__' => [$this, 'translatePlural'],
+                'transRaw'  => [$this, 'translateRawString'],
+                'transRawPlural' => [$this, 'translateRawPlural'],
                 'localeUrl' => [$this, 'localeUrl'],
             ]
         ];
@@ -282,4 +284,14 @@ public function translatePlural($string, $count = 0, $params = [], $locale = nul
     {
         return Lang::choice(Message::trans($string, $params, $locale), $count, $params);
     }
+
+    public function translateRawString($string, $params = [], $locale = null)
+    {
+        return Message::transRaw($string, $params, $locale);
+    }
+
+    public function translateRawPlural($string, $count = 0, $params = [], $locale = null)
+    {
+        return Lang::choice(Message::transRaw($string, $params, $locale), $count, $params);
+    }
 }
diff --git a/models/Message.php b/models/Message.php
@@ -204,6 +204,26 @@ public static function trans($messageId, $params = [], $locale = null)
     {
         $msg = static::get($messageId, $locale);
 
+        $params = array_build($params, function($key, $value){
+            return [':'.$key, e($value)];
+        });
+
+        $msg = strtr($msg, $params);
+
+        return $msg;
+    }
+
+    /**
+     * Looks up and translates a message by its string WITHOUT escaping params.
+     * @param  string $messageId
+     * @param  array  $params
+     * @param  string $locale
+     * @return string
+     */
+    public static function transRaw($messageId, $params = [], $locale = null)
+    {
+        $msg = static::get($messageId, $locale);
+
         $params = array_build($params, function($key, $value){
             return [':'.$key, $value];
         });