Commit graph

38 commits

Author SHA1 Message Date
Ribas160
ec2d230d1b
refactor: deduplicate OS-specific hotkey detection into a shared helper 2026-05-29 15:43:41 +03:00
El RIDO
520408b830
typos 2026-01-25 10:36:10 +01:00
El RIDO
4f28c357ae
Merge pull request #1715 from PrivateBin/i18n/soften-html-encoding
fix: do not encode source JSON translation string resulting in wrong display of special characters like '
2025-12-03 19:07:17 +01:00
El RIDO
348d36d6ee
prefer DirectoryIterator for readability, also test jbo translation, log deletion errors 2025-11-20 09:13:15 +01:00
rugk
72d4c7aa2b style: clarify comments 2025-11-13 12:33:31 +00:00
rugk
e676264616 test: make I18nTest actually reload English translations again 2025-11-13 12:28:03 +00:00
rugk
38a722d2f5 test: make sure to unset HTTP_ACCEPT_LANGUAGE at test teardown 2025-11-13 12:19:49 +00:00
rugk
2c4dd2594c fix: do not encode source JSON translation string resulting in wrong display of special characters like '
Fixes #1712

Disclosure: Coded with help of Copiot. (description wrtten by me)

So this does indeed loosen the encoding a bit. However, IMHO, it was neither better before though. You could always bypass the encoding for `args{0]` when  you just include `<a` (or the other tag) somewhere or so.

**One important notice:** This was (due to the exceptions before and afterwards) valid before and also now: Translators **could** (and can) if they have malicious intent, inject/do "XSS attacks".
Thus, translations PRs (also from Crowdin) should be reviewed for wild HTML code inside translations. I suppose this is easy to fix, but anyway a valid risk.

But IMHO, we should teat the JSON files being part of our source code as a "trusted source". In the end, such an attak is basicaly just ends up being injecting malicious code. I hope such contributors would be detected.

References I explicitly checked again to not introduce an XSS here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html and the PHP doc for he HTML encoding.

I feel the safter way obviously would be encoding the _whole_ string _after_ translation (just like you should apply DOMPurify after everything), but as explained it was not done before and would break compatibility. Also, I looked through the sources and I see no risk described by doing it only for the "dangerous" "untrusted" inputs.
Only here is a notice that `%s` shall not be used in some contexts, for example to define a tag: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#dangerous-contexts (obviously in such a case, attacks may be possible even with encoding; but again; this is nothing new)

The basic "problem" of it all is: We want HTML to be translated/be usable in our translation. If we'd get rid of that, we would get for sure rid of all such XSS attack possibilities. But that woud be a bigger refactoring, so IMHO, this here is fine for a fix for the issue at hand.

Ah another point: I think the `is_int` check is harmless, but it's also kinda useless. Maybe it is some kind of obscure performance optimisation. (Yeah ints have nothing to encode as they have nothing that could be used for XSS, but they could also just be passed through that function.)
2025-11-13 10:52:08 +00:00
El RIDO
4cd1770c76
fix indentation, tests & unify plural forms
command used was:
jq --indent 4 '(.. | select(type=="array")) |= . + [(.[-1:][] | sub("3rd";"4th")),(.[-1:][] | sub("3rd";"5th"))]' i18n/pl.json > /tmp/pl.json

test fix & plural unification was done manually, also cross-checking with online translation services
2025-10-06 11:40:28 +02:00
El RIDO
0040531057 fix Czech translation tests, test strings now use a non-breaking space 2024-10-09 07:04:12 +02:00
El RIDO
68ccaaace0 address unit test failures due to strict typing 2024-06-04 07:27:45 +02:00
El RIDO
cebc9acce6 enable strict types in PHP 2024-06-04 07:13:55 +02:00
El RIDO
d49be80ffb
prevent regression around presence or absence of en.json
it gets excluded in the release archive, it's absence should not make
any difference
2023-12-18 21:49:21 +01:00
El RIDO
5c97443d1d
add basic RTL support, drop default language key 2023-09-19 07:29:00 +02:00
github-actions[bot]
00cd331eaa Merge remote-tracking branch 'origin/master' into php8 2022-12-12 19:51:50 +00:00
El RIDO
0e5002f0d5
fix CS i18n unit test 2022-12-12 20:51:06 +01:00
El RIDO
5b3d61cedc
revert, this one actually was correct 2022-10-25 06:58:42 +02:00
El RIDO
510103fd9f
make tests compatible with newer phpunit 2022-10-25 06:55:24 +02:00
El RIDO
27965d0287
make tests compatible with newer phpunit 2022-10-25 06:53:07 +02:00
github-actions[bot]
595f9cf42e Merge remote-tracking branch 'origin/master' into php8 2022-02-18 05:18:21 +00:00
El RIDO
2d7f5e9a9f
allow for Lojban (jbo) to be the "any" language pick
The available language list is generated by reading the i18n directory
descriptor one entry at a time, so if the jbo.json happens to be the first
file written to the directory it will be on top of the list and get picked.

This is an edge case, most users browsers won't be set to that, but we need
to cover this allowed and valid use case in the language detection.
2022-02-17 20:44:49 +01:00
El RIDO
17c3cb35c0
change tests for phpunit 9 support, breaking support with phpunit 5.6 2020-10-11 10:31:24 +02:00
El RIDO
37a620df95
return type void is required as of PHPunit 7, breaking test compatibility with PHP < 7.1 2020-10-10 12:22:20 +02:00
El RIDO
6f90df9545
updating tests by dropping PHPunit 4.6 support 2020-10-10 12:08:58 +02:00
El RIDO
21ca30af3c
apply StyleCI recommendation 2020-02-01 09:39:14 +01:00
El RIDO
1b206e8495
ensuring consistent use of php side encoding, testing all encoding cases, correctly report the language in the <html> tag 2020-02-01 09:15:14 +01:00
El RIDO
428ea2f34e
adding test that expects parameters of php translation to get HTML entities to get encoded 2020-02-01 08:09:30 +01:00
El RIDO
8dc9db90c9
added translation for Czech, provided by @info-path, fixes #424 2019-06-23 12:06:36 +02:00
El RIDO
be1e7babc0
removing dead code and improving code coverage 2019-05-11 22:18:35 +02:00
El RIDO
478cf288b4
implementing StyleCI recommendations 2017-11-13 22:05:29 +01:00
El RIDO
44327bed58
added missing/removed translation IDs found using improved unit test (#201) 2017-03-25 13:19:11 +01:00
El RIDO
e80c726f92
added unit test for missing message IDs accross all translations, added IDs found this way to translation files (#201) 2017-03-25 12:46:08 +01:00
El RIDO
a7de0e095b
added supported language, updated credits and changelog 2017-01-10 20:37:14 +01:00
El RIDO
f79c00378b
Choosing correct Occitan plural formula, added unit tests for Occitan and Chinese, corrected casing of languages in unit test 2017-01-08 07:56:56 +01:00
El RIDO
4a036aea80
updated SRI hashes, added missing formula for slowene plurals and unit test for it, updated credits and changelog 2017-01-01 14:35:39 +01:00
El RIDO
ecd8a51137
writing a unit test for #145 lead to the discovery of two errors in the polish translations: error in formula and missing number placeholders in the translation strings 2016-12-25 11:37:45 +01:00
El RIDO
1f46823942
applying patch based on StyleCI ruleset 2016-10-29 10:24:08 +02:00
El RIDO
b45bef8388 Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00
Renamed from tst/i18n.php (Browse further)