Disallow HTML in translatable strings with linter
Update the gettext linter to disallow HTML in strings that are submitted to Crowdin for translation. Currently this is an XSS attack vector for us and we have to manually verify that the strings coming in from Crowdin contain correctly formatted HTML. Removing all HTML from these strings gets us a step closer to being able to fully automate our translation process as a human no longer needs to verify these strings. Strings that have angle brackets (`<`/`>`) in them that are not for HTML can still be translated by using the HTML entities `<` or `>`. Please see https://docs.gitlab.com/ee/development/i18n/externalization.html#html for details on how to properly use these symbols. This is going to be followed up by: 1. A clean up of the existing strings that have HTML in them: https://gitlab.com/gitlab-org/gitlab/-/issues/228846 2. The addition of a helper to make it easier for developers to work with translatable strings that do need to have formatted content in them: https://gitlab.com/gitlab-org/gitlab/-/issues/217935 Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/217933
Showing
This source diff could not be displayed because it is too large. You can view the blob instead.
This diff is collapsed.
Please register or sign in to comment