Sanitize some translate values but not others

berkes Published at Dev

berkes

I have a angular-translate directive that takes arguments, which are mixed. Some are user-generated, others are HTML that must be compiled (with translate-compile).

See this plunker for a working, greatly simplified example.

When the translate-sanitize-strategy is set to "null", nothing is sanitized:

 <p translate
 translate-value-amount="<currency data-amount='balance'></currency>"
 translate-value-beneficiary="{{ beneficiary }}"
 translate-sanitize-strategy="null"
 translate-compile="true">PAY_TO</p>

This renders You must pay € 13.37 to john-doe.

But when a user sets a nickname to john-<span onmouseover="this.textContent=\'h@ck3d\'">doe</span>, it will run that and it renders, after mouseover, You must pay € 13.37 to john-h@ck3d. Clearly an example of XSS.

When I set the strategy to sanitizeParameters, which is also our global setting, the beneficiary is properly sanitized. But so is the amount, which I trust (at this point) and which needs to be compiled!

<p translate
 translate-value-amount="<currency data-amount='balance'></currency>"
 translate-value-beneficiary="{{ beneficiary }}"
 translate-sanitize-strategy="'sanitizeParameters'"
 translate-compile="true">PAY_TO</p>

This renders You must pay to john-doe. So the beneficiary value is properly sanitized, but so is the value-amount, which I need to remain unsanitized in order for angular to compile it.

I've searched for a solution where I manually sanitize the beneficiary value, with a filter:

{{ beneficiary | sanitize }}

But this seems to require me to write a filter that uses the ngSanitize Service; not that hard, but still some work, tests, code for something that I expect to be natively available. Somewhere.

I've read through the angular-translate code to find if there is a (hidden) flag or naming convention or so, that allows per-value setting of sanitization, but could not find that. Something like translate-sanitize-attributes="['foo', 'bar']" or even atranslate-value-amount-astrusted=` or somesuch. But could find nothing that hints at being able to set sanitization-strategies or omission thereof, per-value.

How is this usually achieved in angularjs and angular-translate?

Matthijs

How about:

<p translate
 translate-value-amount="<currency data-amount='balance'></currency>"
 translate-value-beneficiary="<span ng-bind='beneficiary'></span>"
 translate-sanitize-strategy="null"
 translate-compile="true">PAY_TO</p>

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-04-28

Comments

0 comments

TOP Ranking

Article

Sanitize some translate values but not others

Sanitize some translate values but not others

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

pump.io port in URL

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

grouping by column variables and appending a new variable based on condition

Python Read Directory And Output to CSV

BigQuery - concatenate ignoring NULL

Angular 8. Unknown amount of http.get requests in array to call, must be sequential, what to use

Remove adjacent duplicates in linked list in C

Can a 32-bit antivirus program protect you from 64-bit threats

How to keep curl session alive between two php processes?

Limit number of characters in uitextview

Unable to use switch toggle for dark mode in material-ui

In C#, is there a way to create a List directly from an Array without copying?

Laravel getting value from another table using eloquent

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

MTKView Displaying Wide Gamut P3 Colorspace

Vector input in shiny R and then use it

Modify c# Windows Forms control library

SQL Server : are transaction locking table for other users?

When I click any button in my view page the form is submitted

Can you sort columns (horizontally) in Google Sheets?