[5.6] Fix translation escaping #25858
Conversation
X-Coder264
force-pushed
the
fix-translation-escaping
branch
from
0df2141 to
8ea41e0
Compare
|
This needs to go to 5.7. |
|
@taylorotwell What do you mean? You've already merged this to 5.6 and you merge stuff upstream so this will get to 5.7 too, or I misunderstood something? 😄 |
|
Compared to the first It's no longer possible to include HTML in replaced :keys strings (instead requiring I don't see why a translation service would be responsible for encoding HTML? Wouldn't that fall on the templating system and the end-user's choice? I personally have never touched the |
|
Another issue with this approach is that everytime you use For example This would probably happen with other notification drivers too like SMS and Slack. |
|
It affects translations in JSON response bodies as well. return response()->json([
'status' => 'success',
'data' => $company,
'message' => __(':name successfully created!', ['name' => $company->name]),
]);{"status":"success","data":{"id":1,"name":"..."},"message":"Ampersand & Sons successfully created!"} // What does JSON have to do with HTML?
// Vue templating, etc. are responsible for encoding if output is shown in a DOM tree.
'message' => __(':name successfully created!', ['name' => new HtmlString($company->name)]),
]);If devs don't give a stuff about config/app.php[
'providers' => [
// ...
// Illuminate\Translation\TranslationServiceProvider::class,
App\Providers\TranslationServiceProvider::class,app/Providers/TranslationServiceProvider.phpnamespace App\Providers;
use App\Support\Translator;
use Illuminate\Translation\TranslationServiceProvider as BaseTranslationServiceProvider;
class TranslationServiceProvider extends BaseTranslationServiceProvider
{
public function register()
{
$this->registerLoader();
$this->app->singleton('translator', function ($app) {
$loader = $app['translation.loader'];
$locale = $app['config']['app.locale'];
$trans = new Translator($loader, $locale);
$trans->setFallback($app['config']['app.fallback_locale']);
return $trans;
});
}
}app/Support/Translator.phpnamespace App\Support;
use Illuminate\Support\Str;
use Illuminate\Translation\Translator as BaseTranslator;
class Translator extends BaseTranslator
{
protected function makeReplacements($line, array $replace)
{
if (empty($replace)) {
return $line;
}
$replace = $this->sortReplacements($replace);
foreach ($replace as $key => $value) {
$line = str_replace(
[':'.$key, ':'.Str::upper($key), ':'.Str::ucfirst($key)],
[$value, Str::upper($value), Str::ucfirst($value)],
$line
);
}
return $line;
}
}You just have to keep a watchful eye on these with every Composer version bump: |
|
When can we expect a new release with this for 5.6? |
I`m not sure, but probably we also should reverting `email lang template` ([laravel#25734](laravel#25734)) changes in 5.6 version Since in prev 5.6 release we also had: - `Fixed translation escaping ([laravel#25858](laravel#25858), [4c46500](https://github.com/laravel/framework/commit/4c465007bbf51d7f269871cd76b6d99de7df90bb))` for fixed translation escaping The same revert was in 5.7 (laravel#25963)
* [5.6] Revert email lang template changes. I`m not sure, but probably we also should reverting `email lang template` ([#25734](#25734)) changes in 5.6 version Since in prev 5.6 release we also had: - `Fixed translation escaping ([#25858](#25858), [4c46500](https://github.com/laravel/framework/commit/4c465007bbf51d7f269871cd76b6d99de7df90bb))` for fixed translation escaping The same revert was in 5.7 (#25963) * [5.6] Revert email lang template changes. - add `comma` after last value in array.
* [5.6] Revert email lang template changes. I`m not sure, but probably we also should reverting `email lang template` ([#25734](laravel/framework#25734)) changes in 5.6 version Since in prev 5.6 release we also had: - `Fixed translation escaping ([#25858](laravel/framework#25858), [4c46500](https://github.com/laravel/framework/commit/4c465007bbf51d7f269871cd76b6d99de7df90bb))` for fixed translation escaping The same revert was in 5.7 (laravel/framework#25963) * [5.6] Revert email lang template changes. - add `comma` after last value in array.
Fixes #25515
d3c0a36 was a security fix because there was an XSS vulnerability when passing parameters as the second method to @lang. Unfortunately the fix escaped the whole output instead of only the parameters that were being replaced which resulted in a major breaking change (because people can no longer use HTML tags inside translations) -> #25408. This PR fixes that by escaping only the parameters that are being replaced so that there can't be any XSS, but doing it this way still allows people to have HTML in the translation files.