FIX: Allow `target` attribute in translation overrides (#29503)

Some of our translations are HTML and have `target='_blank'`
included, we should allow the same when sanitizing input for
translation overrides.
This commit is contained in:
Martin Brennan 2024-11-01 09:48:07 +10:00 committed by GitHub
parent bb13e18855
commit 254cf22559
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 3 deletions

View File

@ -69,7 +69,7 @@ class TranslationOverride < ActiveRecord::Base
translation_override = find_or_initialize_by(params)
sanitized_value =
translation_override.sanitize_field(value, additional_attributes: ["data-auto-route"])
translation_override.sanitize_field(value, additional_attributes: %w[data-auto-route target])
original_translation =
I18n.overrides_disabled { I18n.t(transform_pluralized_key(key), locale: :en) }

View File

@ -186,14 +186,14 @@ RSpec.describe TranslationOverride do
end
it "sanitizes values before upsert" do
xss = "<a target='blank' href='%{path}'>Click here</a> <script>alert('TEST');</script>"
xss = "<a target='_blank' href='%{path}'>Click here</a> <script>alert('TEST');</script>"
TranslationOverride.upsert!("en", "js.themes.error_caused_by", xss)
ovr =
TranslationOverride.where(locale: "en", translation_key: "js.themes.error_caused_by").first
expect(ovr).to be_present
expect(ovr.value).to eq("<a href=\"%{path}\">Click here</a> alert('TEST');")
expect(ovr.value).to eq("<a target=\"_blank\" href=\"%{path}\">Click here</a> alert('TEST');")
end
describe "site cache" do