7

I got a strange or maybe intended behavior with angular translate.
Our value strategie is 

$translateProvider.useSanitizeValueStrategy('sanitize');

We use mostly the translate filter in our application, but when it comes to special characters we get for example instead of Überschrift something like &#220 ;berschrift.
If I use the directive it works.
If I use the filter this only works when the sanitize strategy is set to "escaped".

Is there another solution than to rewrite ALL the translation filters to directives?

Here is my plnkr http://plnkr.co/edit/QIMVQcyH5APeYxNnS82v

For your information, I can't simply use the "escaped" strategy, because we use angular translate variables as well and these variables contain sometimes even html tags.

Thanks!

Anditthas
  • 531
  • 1
  • 3
  • 11

2 Answers2

13

Use sanitizeParameters instead of sanitize. Here is the fixed plnkr: http://plnkr.co/edit/qicVqPXn3qo6hMNa1fY2?p=preview

(EDIT: 07/10/2016): There is a significant difference between the two sanitization strategies. sanitizeParameters sanitizes the interpolation parameters and not the translated output. That means that it doesn't allow for changes in those parameters, but the translated content is still vulnerable since it's not sanitized.

The problem with sanitize and UTF-8 characters is a known issue and I believe it's being worked on.

DGarvanski
  • 2,555
  • 3
  • 26
  • 35
  • Thanks, I tried it before and it somehow didn't work. But now it does! – Anditthas Oct 15 '15 at 09:59
  • What are the security impacts of this change? I can't figure out from the docs https://angular-translate.github.io/docs/#/guide/19_security – Bruno Peres Oct 06 '16 at 14:26
  • I should have done this earlier, but I edited the answer now to provide more information. – DGarvanski Oct 07 '16 at 13:28
  • @DGarvanski I don't think `$translateProvider.useSanitizeValueStrategy('escape','sanitizeParameters');` works, because `useSanitizeValueStrategy` only accepts one argument, not two. – Mike Moore Jun 15 '17 at 21:40
0
$translateProvider.useSanitizeValueStrategy(['escape', 'sanitizeParameters']);

This works for my project. I hope this is secure enough.

Source: https://stackoverflow.com/a/39118996/9798484

Oleg Fedorin
  • 1
  • 1
  • 2
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 30 '21 at 18:24