[#28535] - tag in language string
- Closed
- 2 Apr 2020
- Medium
- Build: staging
- # 28535
Steps to reproduce the issue
Not sure if Joomla supports this on purpose or not, but will raise it anyway.
If you create the following language string:
COM_MYCOMPONENT_STRING="<script>alert('test')</script>"
And then call it using:
echo Joomla\CMS\Language\Text::_('COM_CONTENTHISTORY_PREVIEW_FIELD');
It will display a browser alert on the page.
Is this allowed on purpose?
joomla-cms-bot
- | Title |
|
||||||
| Labels |
Added:
?
|
||||||
Can you also reproduce it with a language override trough the admin or only by manually editing the language file?
@acs-ferreira Haven't tried overriding the string in the admin backend. This test is for editing language file
@acs-ferreira : If used in overrides, the script tag is removed
HTML yes, but a HTML script tag specifically?
Why would it be excluded?
To prevent any potential XSS attacks
This really should have been reported privately to the jsst
If you're passing user input, you should filter or escape it before doing so. This doesn't belong in Text class.
It should not be considered a security vulnerability that language strings can have any valid HTML structures in them. Nor should the language API be trying to sanitize HTML before translating text. That is really a concern of the presentation layer, not the translation layer.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-04-02 07:01:28 |
| Closed_By | ⇒ | C-Lodder |
Yes, HTML is allowed here.