blank page with a js bug

joedixon / laravel-translation

Translation management for your Laravel application.

MIT License

694 stars 230 forks source link

blank page with a js bug #253

Open meyer59 opened 1 year ago

meyer59 commented 1 year ago

Describe the bug A clear and concise description of what the bug is. Unable to show the translation, the page show up for a few second and then everything disapear. A js bug appear in the console.

To Reproduce Steps to reproduce the behavior: update to the latest version F5 the page. The page show up for 1-2 sec and then blank (screenshot bellow) Expected behavior A clear and concise description of what you expected to happen.

Screenshots

Desktop (please complete the following information):

OS: WIN10
Browser chrome
Version 105

lk77 commented 1 year ago

After debugging app.js, it seems this translation from cloudinary is causing the issue :

'title_uploading_with_counter' => 'Uploading {{num}} Assets',

https://cloudinary.com/documentation/upload_widget#localization

it's not escaped by the frontend and it's executed as js, and it does not find a num variable

It also means it's possible to inject js code with translations when doing something like {{alert('test')}}

Screenshot from 2022-09-28 12-14-02