XSS vulnerability using element.html(translation)

[ronwang01]

Translate-once is calling element.html(translation), which poses a vulnerability if the key is not in the resource dictionary and contains malicious code (e.g. XSS attack.).

[atticoos]

Interesting, I notice angular-translate uses append, which is essentially the same.

From what I can tell, when the translation key fails to be found in the resource dictionary, the translationId would be passed as the value that gets appended in applyTranslation.

We could use .text when the key is not found, but I find it interesting the main project doesn't seem to enforce this.

You should open an issue in angular-translate and see what the team says. This is essentially an extension to that project, so if they aren't enforcing that, adding it to this project won't help much. Now that's not to say I'm against the idea, but I would like to hear their thoughts too.

Thanks for raising this concern

[ronwang01]

Just did a quick search, they are aware of the issue. The issue been added to their Milestone 2.16.0. Thank you, for your attention in this matter, much appreciated.
https://github.com/angular-translate/angular-translate/issues/1418