[Bug 38217] New: TT tags breaking translation script when used to build a JS string
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 Bug ID: 38217 Summary: TT tags breaking translation script when used to build a JS string Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Templates Assignee: oleonard@myacpl.org Reporter: jonathan.druart@gmail.com QA Contact: testopia@bugs.koha-community.org Found on bug 38147. We all know the "don't use TT tag in HTML tags" because they break the translator script There is another side-effect. If you do: str = '<a foo="' + foo + '" bar="[% bar | uri %]"'>' + _("Click me") + '</a>' ; Then "Click me" won't be picked by the translator script So I have tried this: str = '<a foo="%s" bar="%s">%s</a>'.format(foo, "[% bar | uri %]", _("Click me")) But it does not seems to work either. So the solution I found is to use an intermediate JS variable: let bar = "[% bar | uri %]"; str = '<a foo="%s" bar="%s">%s</a>'.format(foo, bar, _("Click me")) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |38147 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38147 [Bug 38147] Edit button in bookings untranslatable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #1 from Jonathan Druart <jonathan.druart@gmail.com> --- Find possible suspects: git grep "_(" **/*.tt|grep '\[%' -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #2 from Jonathan Druart <jonathan.druart@gmail.com> --- This one is confirmed at least: koha-tmpl/intranet-tmpl/prog/en/modules/admin/identity_provider_domains.tt: var result = '<a class="btn btn-default btn-xs" role="button" href="/cgi-bin/koha/admin/identity_providers.pl? domain_ops=1&identity_provider_id=[%- identity_provider_id | html -%]&op=edit_form&identity_provider_domain_id='+ encodeURIComponent(row.identity_provider_domain_id) +'"><i class="fa-solid fa-pencil" aria-hidden="true"></i> '+_("Edit")+'</a>'+"\n"; -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Templates |I18N/L10N CC| |f.demians@tamil.fr, | |jonathan.druart@gmail.com, | |julian.maurice@biblibre.com Assignee|oleonard@myacpl.org |koha-bugs@lists.koha-commun | |ity.org -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #0)
So the solution I found is to use an intermediate JS variable: let bar = "[% bar | uri %]"; str = '<a foo="%s" bar="%s">%s</a>'.format(foo, bar, _("Click me"))
Another option would be something like: let link = document.createElement('a'); link.textContent = _("Click me"); link.setAttribute('foo',foo); link.setAttribute('bar',bar); str = link.outerHTML; -- While it's more verbose, it's safe from XSS and should be translation friendly. In the quoted version, both "foo" and "bar" are potentially vulnerable to XSS if they contain unsanitized user input. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- In any case, is this translation issue a new behaviour or has this problem existed previously? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #5 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to David Cook from comment #4)
In any case, is this translation issue a new behaviour or has this problem existed previously?
From Mattermost: """ Issue with the translation script that has been around for years. We reject the structure (TT tags inside HTML tags) from the QA script, but this is a new structure that must be rejected
OR we fix the translation script, but IIRC it is not trivial. """ -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #6 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to David Cook from comment #3)
In the quoted version, both "foo" and "bar" are potentially vulnerable to XSS if they contain unsanitized user input.
We should call escape_str on all JS vars, yes. But it's not the point of the bug report. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #5)
From Mattermost: """ Issue with the translation script that has been around for years. We reject the structure (TT tags inside HTML tags) from the QA script, but this is a new structure that must be rejected
Yeah I still don't understand what you're saying there. What's the "new structure"? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #6)
(In reply to David Cook from comment #3)
In the quoted version, both "foo" and "bar" are potentially vulnerable to XSS if they contain unsanitized user input.
We should call escape_str on all JS vars, yes. But it's not the point of the bug report.
I didn't say it was. Just pointing out the robustness of the alternative I suggested. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #9 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to David Cook from comment #7)
(In reply to Jonathan Druart from comment #5)
From Mattermost: """ Issue with the translation script that has been around for years. We reject the structure (TT tags inside HTML tags) from the QA script, but this is a new structure that must be rejected
Yeah I still don't understand what you're saying there. What's the "new structure"?
The one we knew that was problematic, when building HTML nodes: <a href="#" [% IF required %]required[% END %]>link</a> We catch it with the QA script, and there is a test: xt/tt_valid.t The new one, discovered here, when building nodes using JS. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #10 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #9)
The one we knew that was problematic, when building HTML nodes: <a href="#" [% IF required %]required[% END %]>link</a> We catch it with the QA script, and there is a test: xt/tt_valid.t
The new one, discovered here, when building nodes using JS.
Ok I think I understand better now. Thanks. (That is, it's an old problem in the translation process, but it's a new problem since we're only noticing it now.) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- It seems to me that we should decide on a new method (or methods) and add them as coding guidelines? If possible, catch in QA script, although I don't know how easy that would be. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #12 from Jonathan Druart <jonathan.druart@gmail.com> --- koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt 113 var content = "<h3>" + _("Authority number") + ": [% authid | html %]</h3><hr>"; this one is correctly picked. So I've tried this: var content = "<h3>" + _("Authority number") + ": [% authid | html %]</h3><hr>"; content += "<h3>[% authid | html %] " + _("Authority number") + "</h3><hr>"; The second one is not picked, certainly because the TT tag is before. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #13 from Jonathan Druart <jonathan.druart@gmail.com> --- In this occurrences, only "Send email" is not picked koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt 1623 $("#elasticPreview .modal-body").html("<h1>"+_("Une erreur s'est produite !")+"</h1><h2><em>"+_("Erreur 404")+"</em></h2><ul><li>"+_("Un lien interne dans l'interface professionnel le est cassé et la page n'existe pas")+"</li></ul><h3>"+_("Quoi d'autre ?")+"</h3><ul style='margin-bottom: 1em; padding-bottom: 1em; border-bottom: 1px solid #CCC;'><li>"+_("Utilisez la barre de menu princip ale pour vous déplacer vers une autre partie de Koha.")+"</li><li>"+_("Pour signaler un lien cassé ou tout autre problème, veuillez prendre contact avec l'administrateur Koha.")+" <a href='mailto:[% Koha.Pref erence("KohaAdminEmailAddress") | uri %]'>"+_("Send email")+"</a></li></ul>"); -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #14 from Jonathan Druart <jonathan.druart@gmail.com> --- Also "Cancel": koha-tmpl/intranet-tmpl/prog/en/modules/admin/background_jobs.tt: result += '<a class="btn btn-default btn-xs submit-form-link" role="button" href="#" data-action="/cgi-bin/koha/admin/background_jobs.pl" data-method="post" data-op="cud-cancel" data-confirmation-msg="[% t('Are you sure you want to cancel this job?') | html %]" data-id="'+ encodeURIComponent(row.job_id) +'"><i class="fa fa-trash-can" aria-hidden="true"></i> '+_("Cancel")+'</a>'; -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #15 from Jonathan Druart <jonathan.druart@gmail.com> --- I think we have all the occurrences with this command: `git grep -P '\[%.*_\(' **/*.tt **/*.inc`, but there are false positives. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #16 from Jonathan Druart <jonathan.druart@gmail.com> --- "Summary" is not picked koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt: var result = '<a class="btn btn-default btn-xs" role="button" data-bs-toggle="modal" data-cashup="'+encodeURIComponent(row.cashup_id)+'" data-register="[% register.description | html %]" href="#cashupSummaryModal"><i class="fa-solid fa-pencil" aria-hidden="true"></i> '+_("Summary")+'</a>\n'; -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 --- Comment #17 from Jonathan Druart <jonathan.druart@gmail.com> --- However this one is not a problem: koha-tmpl/intranet-tmpl/prog/en/modules/tools/manage-marc-import.tt: + diff_url.format( [% import_batch_id | html %], aData['import_record_id'], item.candidate_match_id, item.record_type) + '">' + _("View") + '</a></li>'); -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217 Bug 38217 depends on bug 38147, which changed state. Bug 38147 Summary: Edit button in bookings untranslatable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38147 What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org