Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump ICU MessageFormat #3122

Merged
merged 2 commits into from
Oct 27, 2021
Merged

Bump ICU MessageFormat #3122

merged 2 commits into from
Oct 27, 2021

Conversation

askvortsov1
Copy link
Sponsor Member

@askvortsov1 askvortsov1 commented Oct 26, 2021
edited
Loading

Fixes #3072

Changes proposed in this pull request:
This uses Intl.PluralRules for plural rules, and fixes a security vulnerability allowing JS injection through translation arguments.

Vuln fix in underlying repo works by escaping HTML symbols in all user provided arguments that are strings or nested arrays of strings (since those could get flattened in).

Reviewers should focus on:
Tests for the vuln fix:

Anything I missed / that should be added?

Necessity

  • Has the problem that is being solved here been clearly explained?
  • If applicable, have various options for solving this problem been considered?
  • For core PRs, does this need to be in core, or could it be in an extension?
  • Are we willing to maintain this for years / potentially forever?

Confirmed

  • Frontend changes: tested on a local Flarum installation.
  • Backend changes: tests are green (run composer test).
  • Core developer confirmed locally this works as intended.
  • Tests have been added, or are not appropriate here.

SychO9
SychO9 approved these changes Oct 27, 2021
View reviewed changes
Copy link
Member

@SychO9 SychO9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the package has a stable tag now.

@askvortsov1
Bump ICU MessageFormat
293daa8 
This uses `Intl.PluralRules` for plural rules, and fixes a security vulnerability allowing JS injection through translation arguments.
@askvortsov1
bump to use stable versions
6079593
@askvortsov1 askvortsov1 merged commit e550b15 into master Oct 27, 2021
@askvortsov1 askvortsov1 deleted the as/bump-rich-icu branch October 27, 2021 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davwheat davwheat davwheat approved these changes

@SychO9 SychO9 SychO9 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for few in ICU Message sytanx
3 participants
@askvortsov1 @davwheat @SychO9