meteor-messageformat icon indicating copy to clipboard operation
meteor-messageformat copied to clipboard
verified publisher icon gadicc

translate: include html-tags

Open 1u opened this issue 9 years ago • 1 comments

As we don't trust all translators (cause crowd-sourced, Cross-Site-Scripting..), we'd like to always escape most html from mf-strings.

We thought about making an individual href-helper for {{mf 'click_here' 'Click [[here]] to open.' href='/page1'}} that generates a link for the string in angle brackets. (in this issue: https://github.com/schuel/hmmm/issues/277)

Or either we could

  • create a special mfHtml-helper that allows several tags (a, b, i..): {{{ mfHtml 'key' 'Propose <a href="/course/propose">with our form</a>'}}} resp. {{{ mfHtml 'key' 'Propose <a href="{LINK}">with our form</a>' LINK='/course/propose'}}} with html-scrubber-library for client-side, that cleans before displaying. we would only clean if mfHtml is used (otherwise html is not displayed at all).
  • Or we would clean most html when writing on serverside. But the server doen't know what mf-helper was used, so we would clean in all cases. (We would remove/escape all html-tags exept for Example<a href=" or <emph> that are written into db, if you still need < you would have to use &lt;)

Are you planing/interested in solving this problem in messageformat generally? What are your thoughts on this so far? (There is some related thoughts about this in #161 as well.)

What syntax could then be used?

If used only for a-tags (which I guess is the most used case) it could be: {{mf 'klick_here' 'Click [[here]] to open.' href='http://messageformat.meteor.com'}}

Or shall there be a general solution with other html-tags supported? Some other syntax proposals: {{mf 'important' 'This is [important]!' tag='<b>'}} {{mf 'klick_here' 'Click [here].' tag='<a href="http://example.com">'}} or: (maybe a bit easier for translators, cause easier distinction to {NAME} which doesn't need to be translated) {{mf 'we_believe' 'We <>believe<> in this.' tag='<emph>'}} {{mf 'two lines' 'one line<>next line.' tag='<br />'}} or: (to combine multiple tags in one string) {{mf 'crossed' 'I remove <1>all<1>, <2>most<2>.' tag1='<del>' tag2='<b>'}} {{mf 'crossed' 'I remove <1>all<2>, <3>most<4>.' tag1='<del>' tag1='</del>' tag3='<b>' tag4='</b>'}}

Just brainstorming... and curious about your thoughts.

1u avatar Mar 01 '16 21:03 1u

Hey, agree those helpers make things a lot easier, but I'm reluctant to encourage strings that wouldn't work in regular messageformat. We could maybe introduce a new messageformat extension like:

Click {href, link, here}

(where href is the variable, link is the extension, and here is the translatable text`), or something... maybe check if anyone else has addressed this problem. For now, as you maybe saw in #161 and #164, we have some recommendations at the very bottom of http://messageformat-v2.meteor.com/examples.

I used this as an opportunity to properly implement the _html attribute - to allow HTML in a message (including via parameter substition, like our "A1a" example in the link above) - see the commit above; take a look. By default it will pass through html-sanitizer, and instead of _html=true, you could pass the name of a "preset". Presets are added in JS and can be either options for html-sanitizer or the user's own custom function.

gadicc avatar Mar 10 '16 15:03 gadicc