Some translations might be displayed with encoded entities #19190

Description:

The were various translations including a & or >. While this in general is fine, we currently have the problem that various translations of those strings now include a & or > instead, as weblate automatically escapes them due to the active safe_html filter. This can currently cause that the escaped chars are displayed in other languages.

I have now converted all & to & in the english sources and updated all usages of those strings so they are used 'raw', to avoid double encoding.

@diosmosis I've also updated ContentBlock.vue so the title is included as v-html, can you quickly check if it's fine that way?

Review

• [ ] Functional review done
• [ ] Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
• [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
• [ ] Security review done
• [ ] Wording review done
• [ ] Code review done
• [ ] Tests were added if useful/possible
• [ ] Reviewed for breaking changes
• [ ] Developer changelog updated if needed
• [ ] Documentation added if needed
• [ ] Existing documentation updated if needed

Wouldn't it be better to just not escape them in weblate so they are escaped in twig/vue?

@diosmosis I guess we would need to disable the safe_html filter on weblate for that, which I would prefer not to do.
Imho we actually should in general "trust" translations not to contain bad html and use them raw & unescaped.

My personal opinion is that with a framework like Vue where it is, explicitly in the documentation, discouraged to ever use v-html, increased uses should be avoided. And it is much easier to simply assume all template text is unsafe and use innerText/textContent (indirectly by vue) than it is to have different classes of input where some is actually unsafe and some is maybe safe, and have to consciously remember them.

That said I am not in charge of this so will defer approval of the PR to someone else.

The TypeScript/Vue related changes look fine.

@Findus23 As you are also involved in the translations stuff. What is your opinion on that one?

Happy for you to make the decision here @sgiehl

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'.

I didn't see this PR yet, but have to say that I don't have a strong opinion either way. Not using v-html (or raw) feels cleaner to me and should leave a lot less mental overhead in the whole process. But of course one needs to keep in mind that it is always possible for a translation to contain "special characters" that the English source string doesn't contain, so accidentally encoding twice can cause things like #19626

If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'.