angular translate sanitize / escape

Anditthas picture Anditthas · Oct 14, 2015 · Viewed 9.2k times · Source

I got a strange or maybe intended behavior with angular translate.
Our value strategie is

$translateProvider.useSanitizeValueStrategy('sanitize');

We use mostly the translate filter in our application, but when it comes to special characters we get for example instead of Überschrift something like &#220 ;berschrift.
If I use the directive it works.
If I use the filter this only works when the sanitize strategy is set to "escaped".

Is there another solution than to rewrite ALL the translation filters to directives?

Here is my plnkr http://plnkr.co/edit/QIMVQcyH5APeYxNnS82v

For your information, I can't simply use the "escaped" strategy, because we use angular translate variables as well and these variables contain sometimes even html tags.

Thanks!

Answer

DGarvanski picture DGarvanski · Oct 15, 2015

Use sanitizeParameters instead of sanitize. Here is the fixed plnkr: http://plnkr.co/edit/qicVqPXn3qo6hMNa1fY2?p=preview

(EDIT: 07/10/2016): There is a significant difference between the two sanitization strategies. sanitizeParameters sanitizes the interpolation parameters and not the translated output. That means that it doesn't allow for changes in those parameters, but the translated content is still vulnerable since it's not sanitized.

The problem with sanitize and UTF-8 characters is a known issue and I believe it's being worked on.