From 22ee7d6da26a1421ce3e40f4fedbff2e3abfd22a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Alby?= <timothee.alby@gmail.com>
Date: Wed, 2 Feb 2022 11:24:45 +0100
Subject: [PATCH] Merge pull request #6525 from
 overleaf/jpa-harden-translations-sanitize

[web] scripts/translations: sanitize: double down on angular xss

GitOrigin-RevId: d08deab392942e593e920e648118f0e196af1740
---
 services/web/scripts/translations/sanitize.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/services/web/scripts/translations/sanitize.js b/services/web/scripts/translations/sanitize.js
index 223feb801d..4f2469c7dc 100644
--- a/services/web/scripts/translations/sanitize.js
+++ b/services/web/scripts/translations/sanitize.js
@@ -25,6 +25,9 @@ function sanitize(input) {
       a: ['href', 'class'],
     },
     textFilter(text) {
+      // Block Angular XSS
+      if (text === '{') return '&#123;'
+      if (text === '}') return '&#125;'
       return text
         .replace(/\{\{/, '&#123;&#123;')
         .replace(/\}\}/, '&#125;&#125;')