October: Question about `| trans` filter and XSS

Created on 13 Jul 2019 · 4Comments · Source: octobercms/october

I just noticed that the following call using the | trans filter in Twig does not escape the query parameter (in fact the whole string is unescaped).

<!-- Key: You entered ":query" -->
{{ 'my.plugin::with.a.key' | trans({query: '<script>alert("XSS");</script>'}) }}
<!-- Output: You entered "<script>alert("XSS");</script>" -->

To me this is very unintuitive and dangerous behaviour since usually stuff inside Twig's {{ }} can be considered properly escaped.

So what's your thoughts on this? Is this expected behaviour? How would you go about escaping this value in Twig?

Question

Source

tobias-kuendig

All 4 comments

@tobias-kuendig so you're XSSing yourself? Or are you talking about a site where you're passing user input to the trans function? Because you should definitely not be doing that.

LukeTowers on 13 Jul 2019

Because you should definitely not be doing that.

Well, of course I'm doing exactly that! :sweat_smile:

I guess what I'm actually trying to find out is the official way to provide pre-translated strings with a plugin that can be used in the frontend.

AFAIK RainLab.Translate only supports this via the theme.yaml file, right?

tobias-kuendig on 13 Jul 2019

@tobias-kuendig it's fine to use the trans() filter for plugin provided translations, but if you're going to pass in user input then make sure that you also add the | escape filter after (i.e. 'my.key' | trans() | escape): https://twig.symfony.com/doc/2.x/filters/escape.html

LukeTowers on 13 Jul 2019

👍1

That's excactly what I was looking for, thanks @LukeTowers!

tobias-kuendig on 15 Jul 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings