View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001011Main CAcert Websitetranslationspublic2012-01-30 20:222013-01-15 18:08
ReporterNEOatNHNG Assigned ToNEOatNHNG  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version2012 Q2 
Summary0001011: HTML tags in translations are not escaped
DescriptionTranslators could introduce HTML tags (e.g. <script>).

Probably always escape the '<' and '>' and maybe also the '&' (but then we would have to get rid of all those existing HTML entities). For a few strings the HTML has to be pulled out of the gettexted string.
TagsNo tags attached.
Reviewed bydastrath, NEOatNHNG
Test Instructions

Relationships

related to 0001097 closedNEOatNHNG Special characters which have no HTML-entities are not properly escaped 

Activities

NEOatNHNG

2012-01-30 21:06

administrator   ~0002809

One could replace the PHP line in the makefile by:

php -r 'while (!feof(STDIN)) { $$line = fgets(STDIN); $$line = strtr($$line, array("<" => "<", ">" => ">")); mb_convert_encoding($$line, "HTML-ENTITIES", "UTF-8"); echo $$line; }'

But that also breaks some meta information in the PO files most notably the plural specification.

So maybe we have to replace the whole gettext function calls with a custom one wrapping the standard gettext and stripping HTML special characters

NEOatNHNG

2012-01-31 03:11

administrator   ~0002815

I have extended the escaping routine into a full-blown PHP script that should keep the meta data intact while escaping the rest.

Please review and test whether there are major places where this escaping breaks things.

INOPIAE

2012-02-07 22:12

updater   ~0002825

Last edited: 2012-02-07 22:56

 On account.php&id=40 the link to bugs at the end of the page shows in German
<a href='https://bugs.cacert.org/'>bugs.cacert.org</a> as HTML text and not as link. => OK
While creating an error eg. to short titel on advertising.php the line break is visible as
. =>OK

INOPIAE

2012-04-24 22:49

updater   ~0002959

Reviewed by Dirk, ready to go

INOPIAE

2012-04-24 22:50

updater   ~0002960

ready to deploy

NEOatNHNG

2012-04-28 22:24

administrator   ~0002967

Mail sent to critical admins

wytze

2012-04-29 18:37

developer   ~0002971

The patch has been installed on the production system on April 29, 2012. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2012-04/msg00012.html

Issue History

Date Modified Username Field Change
2012-01-30 20:22 NEOatNHNG New Issue
2012-01-30 20:22 NEOatNHNG Assigned To => NEOatNHNG
2012-01-30 21:06 NEOatNHNG Note Added: 0002809
2012-01-31 02:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver e7f53d62
2012-01-31 02:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver d30dd44c
2012-01-31 03:05 NEOatNHNG Source_changeset_attached => cacert-devel testserver 29176a66
2012-01-31 03:05 NEOatNHNG Source_changeset_attached => cacert-devel testserver 56cff58b
2012-01-31 03:11 NEOatNHNG Note Added: 0002815
2012-01-31 03:11 NEOatNHNG Status new => needs review & testing
2012-01-31 03:11 NEOatNHNG Assigned To NEOatNHNG => Ted
2012-01-31 03:11 NEOatNHNG Reviewed by => NEOatNHNG
2012-02-07 22:12 INOPIAE Note Added: 0002825
2012-02-07 22:29 INOPIAE Note Edited: 0002825
2012-02-07 22:56 INOPIAE Note Edited: 0002825
2012-02-07 23:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver 7ec2398e
2012-02-07 23:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver 453ad50d
2012-04-24 22:49 INOPIAE Note Added: 0002959
2012-04-24 22:50 INOPIAE Note Added: 0002960
2012-04-24 22:50 INOPIAE Assigned To Ted => NEOatNHNG
2012-04-24 22:50 INOPIAE Status needs review & testing => ready to deploy
2012-04-28 22:06 NEOatNHNG Reviewed by NEOatNHNG => dastrath, NEOatNHNG
2012-04-28 22:24 NEOatNHNG Note Added: 0002967
2012-04-28 22:24 NEOatNHNG View Status private => public
2012-04-28 22:40 NEOatNHNG Source_changeset_attached => cacert-devel release 8184d0ab
2012-04-29 18:37 wytze Note Added: 0002971
2012-04-29 18:37 wytze Status ready to deploy => solved?
2012-04-29 18:37 wytze Resolution open => fixed
2012-05-30 21:09 NEOatNHNG Status solved? => closed
2012-09-11 23:55 NEOatNHNG Relationship added related to 0001097
2013-01-15 18:08 Werner Dworak Fixed in Version => 2012 Q2