fix(core): Do not use v-html for translation output

The content that can be renderered does *not* include HTML (see `recommended` object). But `v-html` was used, this is potentially dangerous, even though we sanitize the translation values, so no urgent harm but better safe than sorry. Signed-off-by: Ferdinand Thiessen <[email protected]>
nextcloud · Nov 19, 2024 · 52769a4 · 52769a4
1 parent fb75e2d
commit 52769a4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/src/components/setup/RecommendedApps.vue b/core/src/components/setup/RecommendedApps.vue
@@ -18,7 +18,7 @@
 				<img :src="customIcon(app.id)" alt="">
 				<div class="info">
 					<h3>{{ customName(app) }}</h3>
-					<p v-html="customDescription(app.id)" />
+					<p v-text="customDescription(app.id)" />
 					<p v-if="app.installationError">
 						<strong>{{ t('core', 'App download or installation failed') }}</strong>
 					</p>