@sgiehl
Description:
The were various translations including a & or >. While this in general is fine, we currently have the problem that various translations of those strings now include a & or > instead, as weblate automatically escapes them due to the active safe_html filter. This can currently cause that the escaped chars are displayed in other languages.
I have now converted all & to & in the english sources and updated all usages of those strings so they are used 'raw', to avoid double encoding.
@diosmosis I've also updated ContentBlock.vue so the title is included as v-html, can you quickly check if it's fine that way?
Review
- [ ] Functional review done
- [ ] Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
- [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
- [ ] Security review done
- [ ] Wording review done
- [ ] Code review done
- [ ] Tests were added if useful/possible
- [ ] Reviewed for breaking changes
- [ ] Developer changelog updated if needed
- [ ] Documentation added if needed
- [ ] Existing documentation updated if needed
@diosmosis
Wouldn't it be better to just not escape them in weblate so they are escaped in twig/vue?
@diosmosis I guess we would need to disable the safe_html filter on weblate for that, which I would prefer not to do.
Imho we actually should in general "trust" translations not to contain bad html and use them raw & unescaped.
My personal opinion is that with a framework like Vue where it is, explicitly in the documentation, discouraged to ever use v-html, increased uses should be avoided. And it is much easier to simply assume all template text is unsafe and use innerText/textContent (indirectly by vue) than it is to have different classes of input where some is actually unsafe and some is maybe safe, and have to consciously remember them.
That said I am not in charge of this so will defer approval of the PR to someone else.
The TypeScript/Vue related changes look fine.
@Findus23 As you are also involved in the translations stuff. What is your opinion on that one?
@justinvelluppillai
Happy for you to make the decision here @sgiehl
@github-actions[bot]
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers
If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'.