@sgiehl opened this Pull Request on May 6th 2022 Member


The were various translations including a & or >. While this in general is fine, we currently have the problem that various translations of those strings now include a & or > instead, as weblate automatically escapes them due to the active safe_html filter. This can currently cause that the escaped chars are displayed in other languages.

I have now converted all & to & in the english sources and updated all usages of those strings so they are used 'raw', to avoid double encoding.

@diosmosis I've also updated ContentBlock.vue so the title is included as v-html, can you quickly check if it's fine that way?


@diosmosis commented on May 6th 2022 Member

Wouldn't it be better to just not escape them in weblate so they are escaped in twig/vue?

@sgiehl commented on May 8th 2022 Member

@diosmosis I guess we would need to disable the safe_html filter on weblate for that, which I would prefer not to do.
Imho we actually should in general "trust" translations not to contain bad html and use them raw & unescaped.

@diosmosis commented on May 8th 2022 Member

My personal opinion is that with a framework like Vue where it is, explicitly in the documentation, discouraged to ever use v-html, increased uses should be avoided. And it is much easier to simply assume all template text is unsafe and use innerText/textContent (indirectly by vue) than it is to have different classes of input where some is actually unsafe and some is maybe safe, and have to consciously remember them.

That said I am not in charge of this so will defer approval of the PR to someone else.

The TypeScript/Vue related changes look fine.

@sgiehl commented on May 9th 2022 Member

@Findus23 As you are also involved in the translations stuff. What is your opinion on that one?

@justinvelluppillai commented on May 13th 2022 Member

Happy for you to make the decision here @sgiehl

@github-actions[bot] commented on May 20th 2022 Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions[bot] commented on June 22nd 2022 Contributor

If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'.

@Findus23 commented on August 16th 2022 Member

I didn't see this PR yet, but have to say that I don't have a strong opinion either way. Not using v-html (or raw) feels cleaner to me and should leave a lot less mental overhead in the whole process. But of course one needs to keep in mind that it is always possible for a translation to contain "special characters" that the English source string doesn't contain, so accidentally encoding twice can cause things like #19626

@github-actions[bot] commented on September 1st 2022 Contributor

If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'.

This Pull Request was closed on September 14th 2022
Powered by GitHub Issue Mirror