Users of Fluent should escape the < character in data-l10n-args when applying it to the text content of a node
Categories
(Toolkit :: Performance Monitoring, defect)
Tracking
()
People
(Reporter: dennis.lissov, Unassigned)
References
()
Details
Given the following test data URL
data:text/html,<title>Generic<Some, Type, Parameters> description</title>
about:processes
displays only "Generic description" as a title, omitting the generic parameters in < .. >
Reporter | ||
Comment 1•3 years ago
|
||
Sorry, missed escaping for Bugzilla
data:text/html,<title>Generic<Some, Type, Parameters> description</title>
Comment 2•3 years ago
|
||
Thanks for reporting this bug, Denis. I can reproduce it in Firefox 93, 94, and 95. The "Generic description" process is listed under about:processes
page's "Shared Web Process" section.
@ Florian, does this look like a bug in the about:processes
page or in the L10n code that processes data-l10n-args
?
I inspected the about:processes
page's HTML and see that the "Generic description" node's data-l10n-args
attribute includes the expected <Some, Type, Parameters>
substring that is not shown on the page:
<td data-l10n-id="about-processes-tab-name" data-l10n-args="{"name":"Generic<Some, Type, Parameters> description"}">Tab: Generic description</td>
Should the code that dynamically sets data-l10n-args
first escape the angle brackets <
>
? Or is the L10n code stripping the <Some, Type, Parameters>
substring when it shouldn't?
Comment 3•3 years ago
|
||
This was already broken with the patch from bug 1652785 that introduced showing page titles in about:processes, which landed in Firefox 82.
Comment 4•3 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #2)
Should the code that dynamically sets
data-l10n-args
first escape the angle brackets<
>
? Or is the L10n code stripping the<Some, Type, Parameters>
substring when it shouldn't?
ni Zibi for this question.
Comment 5•3 years ago
|
||
(In reply to Florian Quèze [:florian] from comment #4)
(In reply to Chris Peterson [:cpeterson] from comment #2)
Should the code that dynamically sets
data-l10n-args
first escape the angle brackets<
>
? Or is the L10n code stripping the<Some, Type, Parameters>
substring when it shouldn't?
Thinking about this some more, I think it's a bug of the l10n code. The JS code calling document.l10n.setAttributes
doesn't know if the data will be displayed as text content or as an attribute (that depends on how the ftl file uses the parameters, and the same parameter could even be used in both a text content of a node and an attribute).
For example if an ftl file includes a string like this:
string-name = Prefix: { $param }
.attribute = Prefix: { $param }
The <
character needs to be escaped for setting the content of the DOM node, but not when setting the attribute.
Looking at the code a bit, the code at https://searchfox.org/mozilla-central/rev/f8576fec48d866c5f988baaf1fa8d2f8cce2a82f/dom/l10n/L10nOverlays.cpp#492 checks if the translated string contains the < character, and calls SetTextContent
if it doesn't, and will parse the markup otherwise.
I think this code needs to treat differently a <
character coming from the ftl file, and a <
character coming from the data-l10n-args
attribute.
Comment 6•3 years ago
|
||
The component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.
Comment 7•3 years ago
|
||
I think this code needs to treat differently a < character coming from the ftl file, and a < character coming from the data-l10n-args attribute.
I don't think I agree with that. Args can provide HTML fragment as well:
let p = document.getElementById("mypar");
document.l10n.setAttributes(p, "my-key", {
label: "This is <b>a label</b>"
});
my-key = Your label is: { $label }.
should produce:
<p id="mypar" data-l10n-id="my-key" data-l10n-args="{'label': 'This is <'b>a label</b>'}">
Your label is: This is <b>a label</b>.
</p>
Escaping text level elements would make it impossible.
My read is that there are cases where you want those to be escaped, and in those cases the consumer should handle it when building the args list.
Comment 9•3 years ago
|
||
I'm with Zibi here. It's pretty much established that document.l10n
will allow a subset of top-level tags to be rendered as elements in its output and filters out others. Changing this would be a breaking change. To see this, here's a test URL:
data:text/html,<title>Generic<i><b>Some, Type, Parameters</b></i> description</title>
Note how document.title
ends up as the string "Generic<i><b>Some, Type, Parameters</b></i> description"
, while the listing in about:processes
renders it as "Generic Some, Type, Parameters description", i.e. rendering the outer <i>
but dropping the <b>
.
I think the right fix here is to escape the document.title
before setting it as the label value.
Effecting the same result by a localization API change by adding some sort of a toggle for treating input as explicitly raw text would probably end up being quite a bit clumsier.
Comment 10•2 years ago
•
|
||
Having established that this is in the responsibility of the user of Fluent (and not within fluent itself), it seems the solution is then to pass an escaped document.title into the fluent string.
AFAIU, Fluent assigns to .innerHTML
, so E.g., replacing all >
and <
in document.title
would suffice.
That also means this bug should move into about:processes bugs and out of the Fluent components.
Updated•2 years ago
|
Comment 11•4 months ago
|
||
(In reply to Frederik Braun [:freddy] from comment #10)
AFAIU, Fluent assigns to
.innerHTML
, so E.g., replacing all>
and<
indocument.title
would suffice.
It would not suffice, you also need to escape &
as &
, e.g. data:text/html,<title>Some currencies; like ruble&euro; will devaluate</title>
should not appear as
Tab: Some currencies; like ruble€ will devaluate
Description
•