Affected versions of i18next
may fail to sanitize user input when certain configuration options are used. When using the .init
method, passing interpolation options without passing an escapeValue
will default to undefined
rather than the assumed true
.
var init = i18n.init({
interpolation: {
prefix: "__",
suffix: "__",
escapeValue: true
}
}, function(){
var test = i18n.t('__firstName__ __lastName__', {
firstName: 'Bob',
lastName: '["foo","bar"]',
});
console.log(test);
});
When escapeValue
is explicitly passed, the result of test
is:
<script>alert(1)</script> Johnson
This is supposed to be the default. However, if escapeValue
is not included, the result is the unescaped string:
<script>alert(1)</script> Johnson
Update to version 3.4.4 or later.
CPE | Name | Operator | Version |
---|---|---|---|
i18next | ge | 2.0.0 <=3.4.3 |