Comments (4)
I was the one that made it generally an error to do this. We found that in Google we had a dozen or so cases where a message was inside a URL, but it was almost all accidental, e.g. someone accidentally made a template kind="uri". (We generally use ?hl parameters for URLs that need to be translated in multiple languages.)
That said, a few others have asked me about this, as some people have translation processes built around URLs that work really well -- it is possible to make it work, but it does require a bit more typing, but the nice thing about this syntax is that it makes absolutely certain that a "javascript:" URL or something nasty doesn't end up in the final URL, because now the result of the message will go through validation.
{let $translatedUrl kind="text"}
{msg desc="Kinja Help URL - Token call failed"}http://help.gawker.com/customer/portal/articles/1794410-why-am-i-receiving-a-post-save-error-{/msg}
{/let}
<a class="icon icon-question-circle hover-icon icon-append help-link" href="{msg desc="Kinja Help URL - Token call failed"}http://help.gawker.com/customer/portal/articles/1794410-why-am-i-receiving-a-post-save-error-{/msg}" target="_blank">
from closure-templates.
Thanks @gboyer that solution works for our situation. Is there a migration guide or a changelog somewhere that indicates the changes necessary to upgrade from the 2012 to the 2015 version of Closure Templates?
from closure-templates.
One of the biggest changes is that since then, the default autoescape mode has changed from "true" (which is now deprecated-noncontextual) to "strict" (which is now also the default). Strict autoescaping also bans noAutoescape, instead requiring anything that needs to be printed without escaping to be passed into Soy as a SanitizedContent object, or passed between templates as a kind="html" parameter block. Or, you can leave things the way they are and use deprecated-noncontextual escaping, but with a higher risk of XSS.
We now push about every week, so I can't guarantee the total set of changes; a lot of changes are small bug might still affect people. The messages change is one of the smallest changes we've made. In the last few weeks certain kinds of URL patterns have also been banned because it turned out there was no way for Soy to escape them correctly, and before it was just silently escaping them incorrectly...there have been some recent fixes to the language implementation, new backends, and more, too.
from closure-templates.
Thanks again, @gboyer; deprecated-noncontextual
will make it easier for us to make this upgrade in small steps.
from closure-templates.
Related Issues (20)
- Internal Soy Error when compiling Soy headers HOT 2
- comments in parameter lists HOT 2
- Missing documentation / example how to use protobufs in Soy HOT 5
- Google UI HOT 1
- Latest release (release-2022-10-26) has several security issues
- Invalid multimap flag entry. No '=' found: io.noticeable.newspage.soy.functions.ContainsFunction HOT 1
- Dependencies addition of soyutils_usegoog.js makes hard to compile soy files HOT 5
- src/js/soyutils/soyutils_usegoog.js:46:264 ERROR - [JSC_MISSING_MODULE_OR_PROVIDE] Required namespace "safevalues" never defined. HOT 2
- Missing module HOT 4
- src/js/soyutils/soyutils_usegoog.js:46:264 ERROR - [JSC_MISSING_MODULE_OR_PROVIDE] Required namespace "safevalues" never defined. HOT 2
- Consider create new release from closure-templates@HEAD HOT 1
- Question about soy reportWarnings
- There is a vulnerability in ICU for C/C++/Java 57.1,upgrade recommended HOT 1
- There is a vulnerability in google-gson 2.7,upgrade recommended HOT 1
- SoyToJsSrcCompiler.jar is out of date HOT 1
- Remove `--deps` from CLI usage message
- What kind of path can be specified in import statements?
- Invalid 'for' command text
- variable soy is undeclared HOT 1
- Ts** are not declared HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from closure-templates.