Hi
Dne Wed, 2 Jul 2014 16:02:23 +0530 Chirayu Chiripal chirayu.chiripal@gmail.com napsal(a):
I have seen few translations using html tags in them. I was shocked, that why html tags are allowed in translations. Isn't it possible that someone can insert tags like this <script src=" http://www.some-phishing-site.com/simple.js"></script> with the translation and can be used to attack users of particular language??
Technically it is possible, though markup changes is something I always check (Weblate has flag for this, so it's quite easy to review), so that will not get in. Indeed it would be better to use always just bbcode and pass all strings though PMA_sanitize(), but that means somebody would have to go through the code and fix the messages :-).
PS: I hope you don't mind bringing this back to -devel list.