i18next-scanner - npm Package Compare versions

Comparing version 1.5.1 to 1.6.0

lib/parser.js

@@ -286,20 +286,21 @@ 'use strict';
                     key = key.slice(1, -1);
-                    // Replace two consecutive backslashes with a backslash
-                    key = key.replace(/\\\\/g, '\\');
                 }
 
-                // Replace \' with '
-                // Input: i18n.t('name=\'{{name}}\'')
-                // Output: { "name='{{name}}'": "name='{{name}}'" }
-                if (firstChar === '\'') {
-                    key = key.replace(/\\\'/g, '\'');
-                }
+                // JavaScript character escape sequences
+                // https://mathiasbynens.be/notes/javascript-escapes
 
-                // Replace \" with "
-                // Input: i18n.t("name=\"{{name}}\"")
-                // Output: { "name=\"{{name}}\"": "name=\"{{name}}\"" }
-                if (firstChar === '"') {
-                    key = key.replace(/\\\"/g, '"');
-                }
+                // Single character escape sequences
+                // Note: IE < 9 treats '\v' as 'v' instead of a vertical tab ('\x0B'). If cross-browser compatibility is a concern, use \x0B instead of \v.
+                // Another thing to note is that the \v and \0 escapes are not allowed in JSON strings.
+                key = key.replace(/(\\b|\\f|\\n|\\r|\\t|\\v|\\0|\\\\|\\"|\\')/g, function (match) {
+                    return eval('"' + match + '"');
+                });
 
+                // * Octal escapes have been deprecated in ES5.
+                // * Hexadecimal escape sequences: \\x[a-fA-F0-9]{2}
+                // * Unicode escape sequences: \\u[a-fA-F0-9]{4}
+                key = key.replace(/(\\x[a-fA-F0-9]{2}|\\u[a-fA-F0-9]{4})/g, function (match) {
+                    return eval('"' + match + '"');
+                });
+
                 var endsWithComma = full[full.length - 1] === ',';
@@ -391,3 +392,2 @@ if (endsWithComma) {
                         customHandler(key);
-
                         return;
@@ -394,0 +394,0 @@ }

package.json

 {
   "name": "i18next-scanner",
-  "version": "1.5.1",
+  "version": "1.6.0",
   "description": "Scan your code, extract translation keys/values, and merge them into i18n resource files.",
   "homepage": "https://github.com/i18next/i18next-scanner",
   "author": "Cheton Wu <cheton@gmail.com>",
+  "contributors": [
+    {
+      "name": "Cheton Wu",
+      "email": "cheton@gmail.com",
+      "url": "https://github.com/cheton"
+    }
+  ],
   "main": "lib/index.js",
@@ -8,0 +15,0 @@ "scripts": {

src/parser.js

@@ -245,20 +245,17 @@ /* eslint no-console: 0 */
                 key = key.slice(1, -1);
-                // Replace two consecutive backslashes with a backslash
-                key = key.replace(/\\\\/g, '\\');
             }
 
-            // Replace \' with '
-            // Input: i18n.t('name=\'{{name}}\'')
-            // Output: { "name='{{name}}'": "name='{{name}}'" }
-            if (firstChar === '\'') {
-                key = key.replace(/\\\'/g, '\'');
-            }
+            // JavaScript character escape sequences
+            // https://mathiasbynens.be/notes/javascript-escapes
 
-            // Replace \" with "
-            // Input: i18n.t("name=\"{{name}}\"")
-            // Output: { "name=\"{{name}}\"": "name=\"{{name}}\"" }
-            if (firstChar === '"') {
-                key = key.replace(/\\\"/g, '"');
-            }
+            // Single character escape sequences
+            // Note: IE < 9 treats '\v' as 'v' instead of a vertical tab ('\x0B'). If cross-browser compatibility is a concern, use \x0B instead of \v.
+            // Another thing to note is that the \v and \0 escapes are not allowed in JSON strings.
+            key = key.replace(/(\\b|\\f|\\n|\\r|\\t|\\v|\\0|\\\\|\\"|\\')/g, (match) => eval(`"${match}"`));
 
+            // * Octal escapes have been deprecated in ES5.
+            // * Hexadecimal escape sequences: \\x[a-fA-F0-9]{2}
+            // * Unicode escape sequences: \\u[a-fA-F0-9]{4}
+            key = key.replace(/(\\x[a-fA-F0-9]{2}|\\u[a-fA-F0-9]{4})/g, (match) => eval(`"${match}"`));
+
             const endsWithComma = (full[full.length - 1] === ',');
@@ -341,3 +338,2 @@ if (endsWithComma) {
                     customHandler(key);
-
                     return;
@@ -344,0 +340,0 @@ }

test/index.js

@@ -13,3 +13,3 @@ import _ from 'lodash';
     func: {
-        list: ['_t']
+        list: ['_t', 't']
     },
@@ -383,1 +383,28 @@ lngs: ['en','de'],
 });
+
+test('Escape sequences', function(t) {
+    const options = _.merge({}, defaults, {
+    });
+
+    gulp.src('test/fixtures/escape-sequences.js')
+        .pipe(scanner(options))
+        .pipe(tap(function(file) {
+            const contents = file.contents.toString();
+
+            // English - resource.json
+            if (file.path === 'i18n/en/resource.json') {
+                const found = JSON.parse(contents);
+                const wanted = {
+                    "Single character escape sequences: \b\f\n\r\t\v\0\'\"\\": "__STRING_NOT_TRANSLATED__",
+                    "Hexadecimal escape sequences: \xa9\xA9": "__STRING_NOT_TRANSLATED__",
+                    "Unicode escape sequences: \u00a9\u00A9\u2665": "__STRING_NOT_TRANSLATED__",
+                    "Backslashes in single quote: ' \\ '": "__STRING_NOT_TRANSLATED__"
+                };
+
+                t.same(found, wanted);
+            }
+        }))
+        .on('end', function() {
+            t.end();
+        });
+});

test/parser.js

@@ -151,3 +151,3 @@ import fs from 'fs';
 
-test('Replace double backslash with single backslash', (t) => {
+test('Quotes', (t) => {
     const parser = new Parser({
@@ -163,3 +163,3 @@ defaultValue: function(lng, ns, key) {
     });
-    const content = fs.readFileSync(path.resolve(__dirname, 'fixtures/escape.js'), 'utf8');
+    const content = fs.readFileSync(path.resolve(__dirname, 'fixtures/quotes.js'), 'utf8');
     const wanted = {
@@ -180,2 +180,3 @@ "en": {
     t.same(parser.get(), wanted);
+
     t.end();
@@ -182,0 +183,0 @@ });

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

115775

increased by1.99%

Number of package files

38

increased by5.56%

Lines of code

2243

increased by2%

Worsened metrics

Number of medium supply chain risk alerts

4

increased byInfinity%

No dependency changes