https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38217
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from David Cook <[email protected]> --- (In reply to Jonathan Druart from comment #0) > So the solution I found is to use an intermediate JS variable: > let bar = "[% bar | uri %]"; > str = '<a foo="%s" bar="%s">%s</a>'.format(foo, bar, _("Click me")) Another option would be something like: let link = document.createElement('a'); link.textContent = _("Click me"); link.setAttribute('foo',foo); link.setAttribute('bar',bar); str = link.outerHTML; -- While it's more verbose, it's safe from XSS and should be translation friendly. In the quoted version, both "foo" and "bar" are potentially vulnerable to XSS if they contain unsanitized user input. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
