Wanting to check my understanding of the UT React component that internally uses dangerouslySetInnerHTML.
Given that and given a bad actor could get access to the Transifex application, is it possible for arbitrary html to be inserted, or does Transifex santise these “translations”?
Hello @aarr0n,
I’m Antonis from the Transifex Customer Success team. I hope you’re well!
That’s a great question, and your concern is well-founded.
The UT component takes a translation string and renders it as raw HTML via dangerouslySetInnerHTML. The key question is: what does useT() return, and does it sanitize?
It returns the _escapeVars: true flag,
This is passed to the translation hook and only protects interpolated variables, not the translation string itself.
Our documentation has an explicit warning about this: “Using the translation as-is from the t function inside HTML is dangerous for XSS attacks.” The _escapeVars parameter only escapes the ICU variables (dynamic values you pass in, like {username}), but HTML source content cannot be globally escaped this way.
This is by design since UT is the unsafe variant of the T component. The t function escapes HTML before rendering the final strings, while ut does no escaping.
So, in practice, a bad actor with access to your Transifex project could inject arbitrary HTML by modifying translation strings, which’ UT’ would render as raw HTML with no sanitization.
To mitigate this, you could do any or all of the following:
T instead of UT wherever HTML rendering isn’t needed. UT should be reserved for strings that genuinely require HTML markup.Let me know if this helps, and if you have any other questions, I will be happy to assist.