i18n-node icon indicating copy to clipboard operation
i18n-node copied to clipboard
verified publisher icon mashpie

`__mf` incorrectly re-parses output as Mustache

Open andersk opened this issue 1 month ago • 0 comments

One would expect this call to be safe, even if name is user-provided:

i18n.__mf('Hello, {name}!', {name})

But instead, __mf unexpectedly reinterprets the value of name as Mustache template code. This means, for example, the user can crash it by providing a weird name:

> i18n = require('i18n'); i18n.configure({directory: 'locales'})
undefined
> name = '{{{}}'
'{{{}}'
> i18n.__mf('Hello, {name}!', {name})
Uncaught Error: Unclosed tag at 13
    at parseTemplate (/tmp/node_modules/.pnpm/[email protected]/node_modules/mustache/mustache.js:217:15)
    at Writer.parse (/tmp/node_modules/.pnpm/[email protected]/node_modules/mustache/mustache.js:523:16)
    at Writer.render (/tmp/node_modules/.pnpm/[email protected]/node_modules/mustache/mustache.js:554:23)
    at Object.render (/tmp/node_modules/.pnpm/[email protected]/node_modules/mustache/mustache.js:758:26)
    at postProcess (/tmp/node_modules/.pnpm/[email protected]/node_modules/i18n/i18n.js:630:22)
    at Object.i18nMessageformat [as __mf] (/tmp/node_modules/.pnpm/[email protected]/node_modules/i18n/i18n.js:348:12)

andersk avatar Nov 15 '25 02:11 andersk