Skip to content

Commit

Permalink
Bump ICU MessageFormat
Browse files Browse the repository at this point in the history 
This uses `Intl.PluralRules` for plural rules, and fixes a security vulnerability allowing JS injection through translation arguments.
  • Loading branch information
@askvortsov1
askvortsov1 committed Oct 26, 2021
1 parent 9724116 commit 7db2764
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 29 deletions.
35 changes: 18 additions & 17 deletions js/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions js/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
"name": "@flarum/core",
"prettier": "@flarum/prettier-config",
"dependencies": {
"@askvortsov/rich-icu-message-formatter": "^0.1.0",
"@ultraq/icu-message-formatter": "^0.10.1",
"@askvortsov/rich-icu-message-formatter": "^0.2.0",
"@ultraq/icu-message-formatter": "^0.12.0-beta.0",
"bootstrap": "^3.4.1",
"clsx": "^1.1.1",
"color-thief-browser": "^2.0.2",
Expand Down
11 changes: 1 addition & 10 deletions js/src/common/Translator.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,16 +55,7 @@ export default class Translator {
if (!parameters.username) parameters.username = username(user);
}

const escapedParameters: TranslatorParameters = {};

for (const param in parameters) {
const paramValue = parameters[param];

if (typeof paramValue === 'string') escapedParameters[param] = <>{parameters[param]}</>;
else escapedParameters[param] = parameters[param];
}

return escapedParameters;
return parameters;
}

trans(id: string, parameters: TranslatorParameters = {}) {
Expand Down

0 comments on commit 7db2764

Please sign in to comment.