mvc: fix translations by adding an escaping wrapper

PR: https://forum.opnsense.org/index.php?topic=3083.0
2026-03-15 00:54:41 +00:00 · 2016-05-24 21:49:25 +02:00 · 2016-05-24 21:49:25 +02:00 · 8a72c9704f
commit 8a72c9704f
parent bf2f9ab991
2 changed files with 48 additions and 3 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@ -30,8 +30,8 @@
 namespace OPNsense\Base;

 use OPNsense\Core\Config;
+use OPNsense\Base\ViewTranslator;
 use Phalcon\Mvc\Controller;
-use Phalcon\Translate\Adapter\Gettext;

 /**
 * Class ControllerBase implements core controller for OPNsense framework
@ -42,7 +42,7 @@ class ControllerBase extends ControllerRoot
    /**
     * translate a text
     * @param OPNsense\Core\Config $cnf config handle
-     * @return Gettext
+     * @return ViewTranslator
     */
    public function getTranslator($cnf)
    {
@ -57,7 +57,7 @@ class ControllerBase extends ControllerRoot

        $lang_encoding = $lang . '.UTF-8';

-        $ret = new Gettext(array(
+        $ret = new ViewTranslator(array(
            'directory' => '/usr/local/share/locale',
            'defaultDomain' => 'OPNsense',
            'locale' => $lang_encoding,
--- a/src/opnsense/mvc/app/library/OPNsense/Base/ViewTranslator.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Base/ViewTranslator.php
@ -0,0 +1,45 @@
+<?
+
+/**
+ *    Copyright (C) 2016 Franco Fichtner <franco@opnsense.org>
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Base;
+
+use Phalcon\Translate\Adapter\Gettext;
+
+/**
+ * Class ViewTranslator XSS-safe Gettext wrapper
+ * @package OPNsense\Base
+ */
+class ViewTranslator extends Gettext
+{
+    public function _($translateKey, $placeholders = null)
+    {
+        $translateValue = parent::_($translateKey, $placeholders);
+        /* gettext() embedded in JavaScript can cause syntax errors */
+        return htmlspecialchars($translateValue, ENT_QUOTES | ENT_HTML401);
+    }
+}