Fix xss in __() function

String not found in translation files must be escaped.
2021-11-20 13:54:54 +07:00 · 2021-11-20 13:54:54 +07:00 · 84a2bd98d1
commit 84a2bd98d1
parent 960bf497c8
2 changed files with 6 additions and 4 deletions
--- a/app/Core/Lang.php
+++ b/app/Core/Lang.php
@ -101,7 +101,7 @@ class Lang
    /**
     * Ищет сообщение в загруженных переводах
     */
-    public function get(string $message, string $lang = null) /* : string|array */
+    public function get(string $message, string $lang = null) /* : null|string|array */
    {
        if (
            null !== $lang
@ -116,7 +116,7 @@ class Lang
            }
        }

-        return $message;
+        return null; //$message;
    }

    /**
--- a/app/functions.php
+++ b/app/functions.php
@ -48,7 +48,9 @@ function __(/* string|arrray */ $arg): string
        $tr   = $lang->get(\reset($arg));
        $args = \array_slice($arg, 1);

-        if (\is_array($tr)) {
+        if (null === $tr) {
+            $tr = e($tr);
+        } elseif (\is_array($tr)) {
            $tr   = $lang->getForm($tr, \reset($args));
            $args = \array_slice($args, 1);
        }
@ -62,7 +64,7 @@ function __(/* string|arrray */ $arg): string
            return \sprintf($tr, ...$args);
        }
    } else {
-        return $lang->get($arg);
+        return $lang->get($arg) ?? e($arg);
    }
 }