FIX: Ensure translated content is safe for rendering (#220)

nattsw · web-flow · commit fa66f1a75001 · 2025-02-26T14:09:42.000+08:00
As much as we would like to trust AI / translation API outputs, we're adding a bit of sanitisation here for simple things like script tags in case.
diff --git a/.discourse-compatibility b/.discourse-compatibility
@@ -1,3 +1,4 @@
+< 3.5.0.beta2-dev: 5f24835801fdc7cb98e1bcf42d2ab2e49e609921
 < 3.5.0.beta1-dev: 7d411e458bdd449f8aead2bc07cedeb00b856798
 < 3.4.0.beta3-dev: b4cf3a065884816fa3f770248c2bf908ba65d8ac
 < 3.4.0.beta1-dev: 5346b4bafba2c2fb817f030a473b7bbca97b909c
diff --git a/app/models/concerns/discourse_translator/translatable.rb b/app/models/concerns/discourse_translator/translatable.rb
@@ -17,8 +17,14 @@ def set_detected_locale(locale)
       (content_locale || build_content_locale).update!(detected_locale: locale)
     end
 
+    # This method is used to create a translation for a translatable (Post or Topic) and a specific locale.
+    # If a translation already exists for the locale, it will be updated.
+    # Texts are put through a Sanitizer to clean them up before saving.
+    # @param locale [String] the locale of the translation
+    # @param text [String] the translated text
     def set_translation(locale, text)
       locale = locale.to_s.gsub("_", "-")
+      text = DiscourseTranslator::TranslatedContentSanitizer.sanitize(text)
       translations.find_or_initialize_by(locale: locale).update!(translation: text)
     end
 
diff --git a/lib/discourse_translator/translated_content_sanitizer.rb b/lib/discourse_translator/translated_content_sanitizer.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module DiscourseTranslator
+  class TranslatedContentSanitizer
+    def self.sanitize(content)
+      PrettyText.cleanup(content, {})
+    end
+  end
+end
diff --git a/spec/lib/translated_content_sanitizer_spec.rb b/spec/lib/translated_content_sanitizer_spec.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+describe DiscourseTranslator::TranslatedContentSanitizer do
+  it "sanitizes the content" do
+    sanitized =
+      DiscourseTranslator::TranslatedContentSanitizer.sanitize(
+        "<script>alert('test')</script><p> <h1>Testing</h1> This is a test post</p>",
+      )
+
+    expect(sanitized).to eq("<p> </p><h1>Testing</h1> This is a test post<p></p>")
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+< 3.5.0.beta2-dev: 5f24835801fdc7cb98e1bcf42d2ab2e49e609921`
`1`	`2`	`< 3.5.0.beta1-dev: 7d411e458bdd449f8aead2bc07cedeb00b856798`
`2`	`3`	`< 3.4.0.beta3-dev: b4cf3a065884816fa3f770248c2bf908ba65d8ac`
`3`	`4`	`< 3.4.0.beta1-dev: 5346b4bafba2c2fb817f030a473b7bbca97b909c`