i18next: Unexpected recursive interpolation, even with skipOnVariables: true

🐛 Bug Report

t("{{a}}", { a: "{{b}}", b: "c" })) should do exactly one round of interpolation and return "{{b}}", but instead it does multiple recursive interpolations and unexpectedly returns "c".

This happens even with skipOnVariables: true in the interpolation options. This behavior is unexpected either way, but with skipOnVariables: true, it’s also contrary to the documentation.

Since interpolated values are often user-controlled, this may allow users to access values they shouldn’t be able to access, perform super-effective phishing attacks, construct an extremely long string that runs the server out of memory, etc., as discussed in #1479.

To Reproduce

https://codesandbox.io/s/inspiring-wu-43ruq

Or in Node:

> i18next = require("i18next")
> i18next.init({ interpolation: { skipOnVariables: true } })
> i18next.t("{{a}}", { a: "{{b}}", b: "c" })
'c'

Expected behavior

A clear and concise description of what you expected to happen.

> i18next.t("{{a}}", { a: "{{b}}", b: "c" })
'{{b}}'

Your Environment

  • runtime version: Node 14.16.0
  • i18next version: 20.1.0
  • os: Linux

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (10 by maintainers)

Most upvoted comments

as a dev shouldn‘t you add input validation before storing such names, emails, inputs in your database?

+7
jamuhl on Apr 6, 2021

guess in future we should remove the escaping option as it is more or less a relict from jquery times -> leaving escaping to the frontend lib (like react does escape per default)

+1
jamuhl on Apr 6, 2021
Read more comments on GitHub
← i18next: Typescript slow to show translation keys in intellisense
i18next: V12 Type errors with children →