Opened 7 years ago

Closed 6 years ago

#9185 closed (fixed)

blocktrans auto escape peculiarity

Reported by: gruffudd Owned by: garcia_marc
Component: Internationalization Version: 1.0
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

This does not auto escape value:

{% blocktrans %}This string will have {{ value }} inside.{% endblocktrans %}

but this does:

{% blocktrans value as value %}This string will have {{ value }} inside.{% endblocktrans %}

I think the auto escaping should work in both cases.

Change History (5)

comment:1 Changed 7 years ago by gruffudd

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

On second thought, perhaps this is invalid.
It's to do with the order in which substitution is done. In the first example the substitution is done before translation, which doesn't make sense in most cases anyway.

comment:2 Changed 7 years ago by mtredinnick

  • Component changed from Template system to Internationalization
  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Triage Stage changed from Unreviewed to Accepted

I believe your initial report more than your conclusion. :-)

It seems somewhat inconsistent and I can't really see why the behaviours should be different. Your comment seems to explain why they are different due to the implementation, but that's not necessarily good behaviour. I'm going to reopen this, because we need better behaviour here. At the very least, this would have to be something that was very clearly documented, but it's going to take a bit to convince me that the two versions should just behave exactly the same way.

comment:3 Changed 7 years ago by gruffudd

If I understand correctly, one of the downsides of adding auto escaping to the first example is that the po file would potentially need html-entitied strings in msgid="bla&bla" in order for a translation to match.
Not doing it, however, means a potential xss hole if somebody forgets to specify the variable in the blocktrans tag.

comment:4 Changed 6 years ago by garcia_marc

  • Owner changed from nobody to garcia_marc
  • Status changed from reopened to new

comment:5 Changed 6 years ago by garcia_marc

  • Resolution set to fixed
  • Status changed from new to closed

It looks like this ticket was a duplicate of #10369, and it was fixed on [10519].

Note: See TracTickets for help on using tickets.
Back to Top