FIX: Ensure translated content is safe for rendering

nattsw · nattsw · commit 04b752a99fce · 2025-02-19T17:31:04.000+08:00
diff --git a/app/models/concerns/discourse_translator/translatable.rb b/app/models/concerns/discourse_translator/translatable.rb
@@ -17,8 +17,14 @@ def set_detected_locale(locale)
       (content_locale || build_content_locale).update!(detected_locale: locale)
     end
 
+    # This method is used to create a translation for a translatable (Post or Topic) and a specific locale.
+    # If a translation already exists for the locale, it will be updated.
+    # Texts are put through a Sanitizer to clean them up before saving.
+    # @param locale [String] the locale of the translation
+    # @param text [String] the translated text
     def set_translation(locale, text)
       locale = locale.to_s.gsub("_", "-")
+      text = DiscourseTranslator::TranslatedContentSanitizer.sanitize(self.class, text)
       translations.find_or_initialize_by(locale: locale).update!(translation: text)
     end
 
diff --git a/lib/discourse_translator/translated_content_sanitizer.rb b/lib/discourse_translator/translated_content_sanitizer.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module DiscourseTranslator
+  class TranslatedContentSanitizer
+    def self.sanitize(model, content)
+      case model.to_s
+      when "Topic"
+        return ERB::Util.html_escape(content) unless SiteSetting.title_fancy_entities?
+        Topic.fancy_title(content)
+      when "Post"
+        PrettyText.cleanup(content, {})
+      else
+        # raise an error if the model is not supported
+        raise ArgumentError.new("Model not supported")
+      end
+    end
+  end
+end
diff --git a/spec/lib/translated_content_sanitizer_spec.rb b/spec/lib/translated_content_sanitizer_spec.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+describe DiscourseTranslator::TranslatedContentSanitizer do
+  describe "Posts" do
+    it "sanitizes the content" do
+      sanitized =
+        DiscourseTranslator::TranslatedContentSanitizer.sanitize(
+          Post,
+          "<script>alert('test')</script><p> <h1>Testing</h1> This is a test post</p>",
+        )
+
+      expect(sanitized).to eq("<p> </p><h1>Testing</h1> This is a test post<p></p>")
+    end
+  end
+
+  describe "Topics" do
+    it "escapes and prettifies" do
+      sanitized =
+        DiscourseTranslator::TranslatedContentSanitizer.sanitize(
+          Topic,
+          "<script>alert('test')</script><p> <h1>Testing</h1> This is a test post</p>",
+        )
+
+      expect(sanitized).to eq(
+        "&lt;script&gt;alert(&lsquo;test&rsquo;)&lt;/script&gt;&lt;p&gt; &lt;h1&gt;Testing&lt;/h1&gt; This is a test post&lt;/p&gt;",
+      )
+    end
+  end
+end
