Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/development/i18n
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/i18n')
-rw-r--r--doc/development/i18n/externalization.md77
-rw-r--r--doc/development/i18n/merging_translations.md9
-rw-r--r--doc/development/i18n/proofreader.md7
3 files changed, 84 insertions, 9 deletions
diff --git a/doc/development/i18n/externalization.md b/doc/development/i18n/externalization.md
index bce95dfc24e..1374ca92256 100644
--- a/doc/development/i18n/externalization.md
+++ b/doc/development/i18n/externalization.md
@@ -196,7 +196,7 @@ For example use `%{created_at}` in Ruby but `%{createdAt}` in JavaScript. Make s
// => 'This is <strong><script>alert('evil')</script></strong>'
// OK:
- sprintf(__('This is %{value}'), { value: `<strong>${escape(someDynamicValue)}</strong>`, false);
+ sprintf(__('This is %{value}'), { value: `<strong>${escape(someDynamicValue)}</strong>` }, false);
// => 'This is <strong>&lt;script&gt;alert(&#x27;evil&#x27;)&lt;/script&gt;</strong>'
```
@@ -296,6 +296,74 @@ Namespaces should be PascalCase.
Note: The namespace should be removed from the translation. See the [translation
guidelines for more details](translation.md#namespaced-strings).
+### HTML
+
+We no longer include HTML directly in the strings that are submitted for translation. This is for a couple of reasons:
+
+1. It introduces a chance for the translated string to accidentally include invalid HTML.
+1. It introduces a security risk where translated strings become an attack vector for XSS, as noted by the
+ [Open Web Application Security Project (OWASP)](https://owasp.org/www-community/attacks/xss/).
+
+To include formatting in the translated string, we can do the following:
+
+- In Ruby/HAML:
+
+ ```ruby
+ html_escape(_('Some %{strongOpen}bold%{strongClose} text.')) % { strongOpen: '<strong>'.html_safe, strongClose: '</strong>'.html_safe }
+
+ # => 'Some <strong>bold</strong> text.'
+ ```
+
+- In JavaScript:
+
+ ```javascript
+ sprintf(__('Some %{strongOpen}bold%{strongClose} text.'), { strongOpen: '<strong>', strongClose: '</strong>'}, false);
+
+ // => 'Some <strong>bold</strong> text.'
+ ```
+
+- In Vue
+
+ See the section on [interpolation](#interpolation).
+
+When [this translation helper issue](https://gitlab.com/gitlab-org/gitlab/-/issues/217935) is complete, we'll update the
+process of including formatting in translated strings.
+
+#### Including Angle Brackets
+
+If a string contains angles brackets (`<`/`>`) that are not used for HTML, it will still be flagged by the
+`rake gettext:lint` linter.
+To avoid this error, use the applicable HTML entity code (`&lt;` or `&gt;`) instead:
+
+- In Ruby/HAML:
+
+ ```ruby
+ html_escape_once(_('In &lt; 1 hour')).html_safe
+
+ # => 'In < 1 hour'
+ ```
+
+- In JavaScript:
+
+ ```javascript
+ import sanitize from 'sanitize-html';
+
+ const i18n = { LESS_THAN_ONE_HOUR: sanitize(__('In &lt; 1 hours'), { allowedTags: [] }) };
+
+ // ... using the string
+ element.innerHTML = i18n.LESS_THAN_ONE_HOUR;
+
+ // => 'In < 1 hour'
+ ```
+
+- In Vue:
+
+ ```vue
+ <gl-sprintf :message="s__('In &lt; 1 hours')"/>
+
+ // => 'In < 1 hour'
+ ```
+
### Dates / times
- In JavaScript:
@@ -555,6 +623,7 @@ The linter will take the following into account:
- There should be no variables used in a translation that aren't in the
message ID
- Errors during translation.
+- Presence of angle brackets (`<` or `>`)
The errors are grouped per file, and per message ID:
@@ -567,7 +636,7 @@ Errors in `locale/zh_HK/gitlab.po`:
Syntax error in msgstr
Syntax error in message_line
There should be only whitespace until the end of line after the double quote character of a message text.
- Parsing result before error: '{:msgid=>["", "You are going to remove %{project_name_with_namespace}.\\n", "Removed project CANNOT be restored!\\n", "Are you ABSOLUTELY sure?"]}'
+ Parsing result before error: '{:msgid=>["", "You are going to delete %{project_name_with_namespace}.\\n", "Deleted projects CANNOT be restored!\\n", "Are you ABSOLUTELY sure?"]}'
SimplePoParser filtered backtrace: SimplePoParser::ParserError
Errors in `locale/zh_TW/gitlab.po`:
1 pipeline
@@ -581,6 +650,10 @@ aren't in the message with ID `1 pipeline`.
## Adding a new language
+NOTE: **Note:**
+[Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/221012) in GitLab 13.3:
+Languages with less than 2% of translations won't be available in the UI.
+
Let's suppose you want to add translations for a new language, let's say French.
1. The first step is to register the new language in `lib/gitlab/i18n.rb`:
diff --git a/doc/development/i18n/merging_translations.md b/doc/development/i18n/merging_translations.md
index e0fcaddda4c..8b3357c41d3 100644
--- a/doc/development/i18n/merging_translations.md
+++ b/doc/development/i18n/merging_translations.md
@@ -25,14 +25,15 @@ suggesting to automate this process. Disapproving will exclude the
invalid translation, the merge request will be updated within a few
minutes.
+If the translation has failed validation due to angle brackets `<` or `>`
+it should be disapproved on CrowdIn as our strings should be
+using [variables](externalization.md#html) for HTML instead.
+
It might be handy to pause the integration on the CrowdIn side for a
little while so translations don't keep coming. This can be done by
clicking `Pause sync` on the [CrowdIn integration settings
page](https://translate.gitlab.com/project/gitlab-ee/settings#integration).
-When all failures are resolved, the translations need to be double
-checked once more as discussed in [confidential issue](../../user/project/issues/confidential_issues.md) `https://gitlab.com/gitlab-org/gitlab/-/issues/19485`.
-
## Merging translations
When all translations are found good and pipelines pass the
@@ -56,7 +57,7 @@ have been fixed on master.
## Recreate the GitLab integration in CrowdIn
-NOTE: ***Note:**
+NOTE: **Note:**
These instructions work only for GitLab Team Members.
If for some reason the GitLab integration in CrowdIn does not exist, it can be
diff --git a/doc/development/i18n/proofreader.md b/doc/development/i18n/proofreader.md
index 935a171f34c..9d2997379c1 100644
--- a/doc/development/i18n/proofreader.md
+++ b/doc/development/i18n/proofreader.md
@@ -115,9 +115,10 @@ are very appreciative of the work done by translators and proofreaders!
## Become a proofreader
-> **Note:** Before requesting Proofreader permissions in CrowdIn please make
-> sure that you have a history of contributing translations to the GitLab
-> project.
+NOTE: **Note:**
+Before requesting Proofreader permissions in CrowdIn please make
+sure that you have a history of contributing translations to the GitLab
+project.
1. Contribute translations to GitLab. See instructions for
[translating GitLab](translation.md).
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 20:42:02 +0300