pkp/pkp-lib#9408 Permit escaping of mixed content when localizing strings

asmecher · asmecher · commit 210b5b6616ee · 2024-01-29T15:12:25.000-08:00
diff --git a/src/components/ListPanel/announcements/AnnouncementsListPanel.vue b/src/components/ListPanel/announcements/AnnouncementsListPanel.vue
@@ -199,9 +199,11 @@ export default {
 				cancelLabel: this.__('common.no'),
 				modalName: 'delete',
 				title: this.deleteAnnouncementLabel,
-				message: this.replaceLocaleParams(this.confirmDeleteMessage, {
-					title: this.localize(announcement.title)
-				}),
+				message: this.replaceLocaleParams(
+					this.confirmDeleteMessage,
+					{title: this.localize(announcement.title)},
+					{htmlEscaping: true}
+				),
 				callback: () => {
 					var self = this;
 					$.ajax({
diff --git a/src/components/ListPanel/emailTemplates/EmailTemplatesListItem.vue b/src/components/ListPanel/emailTemplates/EmailTemplatesListItem.vue
@@ -27,23 +27,29 @@
 			<list>
 				<list-item>
 					{{
-						replaceLocaleParams(this.subjectLabel, {
-							subject: item.subject
-						})
+						replaceLocaleParams(
+							this.subjectLabel,
+							{subject: item.subject},
+							{htmlEscaping: true}
+						)
 					}}
 				</list-item>
 				<list-item v-if="item.fromRoleId">
 					{{
-						replaceLocaleParams(this.fromLabel, {
-							value: getRoleLabel(item.fromRoleId)
-						})
+						replaceLocaleParams(
+							this.fromLabel,
+							{value: getRoleLabel(item.fromRoleId)},
+							{htmlEscaping: true}
+						)
 					}}
 				</list-item>
 				<list-item v-if="item.toRoleId">
 					{{
-						replaceLocaleParams(this.toLabel, {
-							value: getRoleLabel(item.toRoleId)
-						})
+						replaceLocaleParams(
+							this.toLabel,
+							{value: getRoleLabel(item.toRoleId)},
+							{htmlEscaping: true}
+						)
 					}}
 				</list-item>
 				<list-item
diff --git a/src/mixins/global.js b/src/mixins/global.js
@@ -146,11 +146,20 @@ export default {
 		 *
 		 * @param {String} str String to replace params in
 		 * @param {Object} params Key/value hash of params to replace
+		 * @param {Object} [options={}]
+		 * @param {boolean} [options.htmlEscaping=false] - Set to `true` to escape HTML content in param values.
 		 * @return {String}
 		 */
-		replaceLocaleParams(str, params) {
+		replaceLocaleParams(str, params, options = {}) {
+			const {htmlEscaping} = options;
+
 			for (var param in params) {
-				let value = params[param];
+				var value = params[param];
+				if (htmlEscaping) {
+					var p = document.createElement('p');
+					p.innerText = value;
+					value = p.innerHTML;
+				}
 				// If a locale object is passed, take the value from the current locale
 				if (value === Object(value)) {
 					value = this.localize(value);
