closes #6212

7 years ago · 2f3b7279be
parent 2c8cef6e92
commit 2f3b7279be
5 changed files with 16 additions and 7 deletions
--- a/install/package.json
+++ b/install/package.json
@ -69,9 +69,9 @@
        "nodebb-plugin-spam-be-gone": "0.5.1",
        "nodebb-rewards-essentials": "0.0.9",
        "nodebb-theme-lavender": "5.0.0",
-        "nodebb-theme-persona": "7.2.10",
+        "nodebb-theme-persona": "7.2.11",
        "nodebb-theme-slick": "1.1.2",
-        "nodebb-theme-vanilla": "8.1.4",
+        "nodebb-theme-vanilla": "8.1.5",
        "nodebb-widget-essentials": "4.0.1",
        "nodemailer": "4.4.1",
        "passport": "^0.4.0",
--- a/public/language/en-GB/pages.json
+++ b/public/language/en-GB/pages.json
@ -22,7 +22,7 @@

 	"notifications": "Notifications",
 	"tags": "Tags",
-	"tag": "Topics tagged under \"%1\"",
+	"tag": "Topics tagged under &quot;%1&quot;",
 	"register": "Register an account",
 	"registration-complete": "Registration complete",
 	"login": "Login to your account",
--- a/public/src/modules/translator.js
+++ b/public/src/modules/translator.js
@ -41,13 +41,11 @@
 	var assign = Object.assign || jQuery.extend;

 	function escapeHTML(str) {
-		return utils.decodeHTMLEntities(
+		return utils.escapeHTML(utils.decodeHTMLEntities(
 			String(str)
 				.replace(/[\s\xa0]+/g, ' ')
 				.replace(/^\s+|\s+$/g, '')
-		).replace(/[<>]/g, function (c) {
-			return c === '<' ? '&lt;' : '&gt;';
-		});
+		));
 	}

 	var Translator = (function () {
--- a/src/topics/tags.js
+++ b/src/topics/tags.js
@ -2,6 +2,7 @@
 'use strict';

 var async = require('async');
+var validator = require('validator');

 var db = require('../database');
 var meta = require('../meta');
@ -191,6 +192,7 @@ module.exports = function (Topics) {
 			},
 			function (tagData, next) {
 				tags.forEach(function (tag, index) {
+					tag.valueEscaped = validator.escape(String(tag.value));
 					tag.color = tagData[index] ? tagData[index].color : '';
 					tag.bgColor = tagData[index] ? tagData[index].bgColor : '';
 				});
--- a/test/translator.js
+++ b/test/translator.js
@ -114,6 +114,15 @@ describe('new Translator(language)', function () {
 			});
 		});

+		it('should not unescape html in parameters', function () {
+			var translator = Translator.create('en-GB');
+
+			var key = '[[pages:tag, some&amp;tag]]';
+			return translator.translate(key).then(function (translated) {
+				assert.strictEqual(translated, 'Topics tagged under &quot;some&amp;tag&quot;');
+			});
+		});
+
 		it('should properly escape and ignore % and \\, in arguments', function () {
 			var translator = Translator.create('en-GB');