The were various translations including a &
or >
. While this in general is fine, we currently have the problem that various translations of those strings now include a &
or >
instead, as weblate automatically escapes them due to the active safe_html
filter. This can currently cause that the escaped chars are displayed in other languages.
I have now converted all &
to &
in the english sources and updated all usages of those strings so they are used 'raw', to avoid double encoding.
@diosmosis I've also updated ContentBlock.vue
so the title is included as v-html
, can you quickly check if it's fine that way?
Wouldn't it be better to just not escape them in weblate so they are escaped in twig/vue?
@diosmosis I guess we would need to disable the safe_html filter on weblate for that, which I would prefer not to do.
Imho we actually should in general "trust" translations not to contain bad html and use them raw & unescaped.
My personal opinion is that with a framework like Vue where it is, explicitly in the documentation, discouraged to ever use v-html, increased uses should be avoided. And it is much easier to simply assume all template text is unsafe and use innerText/textContent (indirectly by vue) than it is to have different classes of input where some is actually unsafe and some is maybe safe, and have to consciously remember them.
That said I am not in charge of this so will defer approval of the PR to someone else.
The TypeScript/Vue related changes look fine.
@Findus23 As you are also involved in the translations stuff. What is your opinion on that one?
Happy for you to make the decision here @sgiehl
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers