elastic · LeanidShutau · Jul 5, 2018 · Sep 28, 2018 · Oct 8, 2018 · Oct 10, 2018
diff --git a/packages/kbn-i18n/src/angular/__snapshots__/directive.test.ts.snap b/packages/kbn-i18n/src/angular/__snapshots__/directive.test.ts.snap
@@ -1,5 +1,47 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`i18nDirective inserts correct translation html content 1`] = `
+<div
+  class="ng-scope ng-isolate-scope"
+  i18n-default-message="Default message"
+  i18n-id="id"
+>
+  Default message
+</div>
+`;
+
 exports[`i18nDirective inserts correct translation html content with values 1`] = `"default-message word"`;
 
 exports[`i18nDirective inserts correct translation html content with values 2`] = `"default-message anotherWord"`;
+
+exports[`i18nDirective sanitizes defaultMessage 1`] = `
+<div
+  class="ng-scope ng-isolate-scope"
+  i18n-default-message="Dangerous default message, {unsafe_value}"
+  i18n-id="id"
+  i18n-values="{ unsafe_value: '<div i18n-id=\\"id2\\" i18n-default-message=\\"<script></script>inner message\\" />' }"
+>
+  Dangerous default message, 
+  <div
+    class="ng-scope ng-isolate-scope"
+    i18n-default-message="<script></script>inner message"
+    i18n-id="id2"
+  >
+    &lt;script&gt;&lt;/script&gt;inner message
+  </div>
+</div>
+`;
+
+exports[`i18nDirective sanitizes safe value 1`] = `
+<div
+  class="ng-scope ng-isolate-scope"
+  i18n-default-message="Default message, {value}"
+  i18n-id="id"
+  i18n-values="{ value: '<div ng-click=\\"dangerousAction()\\"></div>' }"
+>
+  Default message, 
+  <div
+    class="ng-scope"
+  />
+</div>
+`;
diff --git a/packages/kbn-i18n/src/angular/directive.test.ts b/packages/kbn-i18n/src/angular/directive.test.ts
@@ -19,12 +19,13 @@
 
 import angular from 'angular';
 import 'angular-mocks';
+import 'angular-sanitize';
 
 import { i18nDirective } from './directive';
 import { I18nProvider } from './provider';
 
 angular
-  .module('app', [])
+  .module('app', ['ngSanitize'])
   .provider('i18n', I18nProvider)
   .directive('i18nId', i18nDirective);
 
@@ -44,20 +45,47 @@ describe('i18nDirective', () => {
   );
 
   test('inserts correct translation html content', () => {
-    const id = 'id';
-    const defaultMessage = 'default-message';
+    const element = angular.element(
+      `<div
+        i18n-id="id"
+        i18n-default-message="Default message"
+      />`
+    );
 
+    compile(element)(scope);
+    scope.$digest();
+
+    expect(element[0]).toMatchSnapshot();
+  });
+
+  test('sanitizes defaultMessage', () => {
     const element = angular.element(
       `<div
-        i18n-id="${id}"
-        i18n-default-message="${defaultMessage}"
+        i18n-id="id"
+        i18n-default-message="Dangerous default message, {unsafe_value}"
+        i18n-values="{ unsafe_value: '<div i18n-id=&quot;id2&quot; i18n-default-message=&quot;<script></script>inner message&quot; />' }"
+      />`
+    );
+
+    compile(element)(scope);
+    scope.$digest();
+
+    expect(element[0]).toMatchSnapshot();
+  });
+
+  test('sanitizes safe value', () => {
+    const element = angular.element(
+      `<div
+        i18n-id="id"
+        i18n-default-message="Default message, {value}"
+        i18n-values="{ value: '<div ng-click=&quot;dangerousAction()&quot;></div>' }"
       />`
     );
 
     compile(element)(scope);
     scope.$digest();
 
-    expect(element.html()).toEqual(defaultMessage);
+    expect(element[0]).toMatchSnapshot();
   });
 
   test('inserts correct translation html content with values', () => {

diff --git a/packages/kbn-i18n/src/angular/directive.ts b/packages/kbn-i18n/src/angular/directive.ts
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-import { IDirective, IRootElementService, IScope } from 'angular';
+import { ICompileService, IDirective, IRootElementService, IScope } from 'angular';
 
 import { I18nServiceType } from './provider';
 
@@ -27,7 +27,11 @@ interface I18nScope extends IScope {
   id: string;
 }
 
-export function i18nDirective(i18n: I18nServiceType): IDirective<I18nScope> {
+export function i18nDirective(
+  i18n: I18nServiceType,
+  $compile: ICompileService,
+  $sanitize: (html: string) => string
+): IDirective<I18nScope> {
   return {
     restrict: 'A',
     scope: {
@@ -38,20 +42,39 @@ export function i18nDirective(i18n: I18nServiceType): IDirective<I18nScope> {
     link($scope, $element) {
       if ($scope.values) {
         $scope.$watchCollection('values', () => {
-          setHtmlContent($element, $scope, i18n);
+          setHtmlContent($element, $scope, $sanitize, i18n);
+          $compile($element.contents() as any)($scope.$parent);
         });
       } else {
-        setHtmlContent($element, $scope, i18n);
+        setHtmlContent($element, $scope, $sanitize, i18n);
       }
     },
   };
 }
 
-function setHtmlContent($element: IRootElementService, $scope: I18nScope, i18n: I18nServiceType) {
+function setHtmlContent(
+  $element: IRootElementService,
+  $scope: I18nScope,
+  $sanitize: (html: string) => string,
+  i18n: I18nServiceType
+) {
+  const values = Object.entries($scope.values || {}).reduce(
+    (result, [key, value]) => {
+      if (key.startsWith('unsafe_')) {
+        result[key] = value;
+      } else {
+        result[key] = $sanitize(value);
+      }
+
+      return result;
+    },
+    {} as Record<string, any>
+  );
+
   $element.html(
     i18n($scope.id, {
-      values: $scope.values,
-      defaultMessage: $scope.defaultMessage,
+      values,
+      defaultMessage: ($scope.defaultMessage || '').replace(/\</g, '&lt;').replace(/\>/g, '&gt;'),
     })
   );
 }