You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that text coming in via LocalizationSupport is always considered trusted content and will be output directly and not via fx. OwaspHtmlTemplateOutput.
However, in some contexts, localized text can come from untrusted sources. Maybe an agency was hired to do the translation. Or text are retrieved from a remote system like a CMS. If that is the case and LocalizationSupport is used, XSS exploits seem trivial.
My workaround is to create my own localization that output the localized texts as pure strings for it to become "user content".
The text was updated successfully, but these errors were encountered:
It seems that text coming in via LocalizationSupport is always considered trusted content and will be output directly and not via fx. OwaspHtmlTemplateOutput.
However, in some contexts, localized text can come from untrusted sources. Maybe an agency was hired to do the translation. Or text are retrieved from a remote system like a CMS. If that is the case and LocalizationSupport is used, XSS exploits seem trivial.
My workaround is to create my own localization that output the localized texts as pure strings for it to become "user content".
The text was updated successfully, but these errors were encountered: