New Crowdin updates #1694

ashkan-deriv · 2024-04-04T08:18:14Z

No description provided.

github-actions · 2024-04-22T07:35:31Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

github-advanced-security

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

public/email/crowdin/translations/ar/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to replace the substring check with a more secure method of verifying the hostname. Specifically, we should parse the URL and check if the host matches an allowed list of hosts. This ensures that the check is not bypassed by embedding the allowed host in an unexpected location within the URL.

Parse the URL to extract the hostname.

Check if the hostname matches an allowed list of hosts.

Update the relevant lines in the code to implement this change.

public/email/crowdin/translations/bn/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to parse the URL and check the host value against a whitelist of allowed hosts. This ensures that the check handles arbitrary subdomain sequences correctly and prevents malicious URLs from bypassing the security check.

Parse the URL to extract the hostname.

Compare the extracted hostname against a whitelist of allowed hosts.

Update the code to use this new approach.

public/email/crowdin/translations/de/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to replace the substring check with a more robust method of verifying the hostname. Specifically, we should parse the URL and check if the hostname matches an allowed list of hosts. This ensures that only the exact allowed hosts are accepted, preventing any bypass attempts.

Parse the URL to extract the hostname.

Use an explicit whitelist of allowed hosts to check if the hostname is valid.

Update the relevant code to implement this change.

public/email/crowdin/translations/es/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to replace the substring check with a more robust method of validating the hostname. Specifically, we should parse the URL and check if the hostname matches an allowed list of hosts. This ensures that the check handles arbitrary subdomain sequences correctly and prevents bypassing the validation.

Parse the URL to extract the hostname.

Use an explicit whitelist of allowed hosts to validate the hostname.

Update the relevant lines in the code to implement this change.

public/email/crowdin/translations/fr/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to replace the substring check with a more secure method of validating the hostname. Specifically, we should parse the URL and check if the host is in a whitelist of allowed hosts. This ensures that only the exact allowed hosts or their subdomains are accepted.

Parse the URL to extract the hostname.

Check if the extracted hostname is in a whitelist of allowed hosts.

Replace the substring check with this new validation method.

public/email/crowdin/translations/id/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to ensure that the hostname is properly validated against a whitelist of allowed hosts. This involves parsing the URL to extract the hostname and then checking if it matches any of the allowed hosts. We will use the URL constructor to parse the URL and compare the hostname against a predefined list of allowed hosts.

Parse the URL using the URL constructor to extract the hostname.

Define a whitelist of allowed hosts.

Check if the parsed hostname is in the whitelist.

Update the code to use this secure method for hostname validation.

public/email/crowdin/translations/it/lp-forex-ebook.html

+              var deriv_cookie_domain = 'deriv.com' // Modify as per your actual usage
+              var CookieStorage = function (cookie_name, cookie_domain = '') {
+                  var hostname = window.location.hostname
+                  var is_deriv_com = hostname.includes('deriv.com')


To fix the problem, we need to parse the URL and check the host value against a whitelist of allowed hosts. This ensures that only legitimate subdomains of deriv.com are accepted. We will use the URL constructor to parse the URL and then check the hostname against a predefined list of allowed hosts.

Parse the URL using the URL constructor.

Extract the hostname from the parsed URL.

Check if the hostname is in the list of allowed hosts.

Update the code to use this new check instead of the substring check.

public/email/crowdin/translations/ar/lp-forex-ebook.html

+                    .socketMessageSend(JSON.stringify(data), 'verify_email')
+                    .then(res => {
+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being included in the URL. This can be achieved by using the encodeURIComponent function, which encodes a URI component by replacing each instance of certain characters by one, two, three, or four escape sequences representing the UTF-8 encoding of the character.

Locate the line where the email variable is used in the URL redirection.

Replace the direct usage of email with encodeURIComponent(email) to ensure that any special characters in the email are properly encoded.

public/email/crowdin/translations/ar/lp-forex-ebook.html

+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`
+                        } else {
+                            window.location.href = `/verify-email?email=${email}`


To fix the problem, we need to ensure that the user-provided email is properly encoded before being included in the URL. This can be achieved by using encodeURIComponent to encode the email, which will escape any special characters and prevent XSS attacks.

Locate the line where the URL is constructed with the user-provided email.

Replace the direct inclusion of the email with an encoded version using encodeURIComponent.

Ensure that the fix is applied consistently wherever the email is used in constructing URLs.

public/email/crowdin/translations/bn/lp-forex-ebook.html

+                    .socketMessageSend(JSON.stringify(data), 'verify_email')
+                    .then(res => {
+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being used in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email address, making it safe to include in a URL.

Locate the line where the email variable is used in the URL construction.

Replace the direct usage of email with encodeURIComponent(email) to ensure that any special characters are properly encoded.

This change should be made in the file public/email/crowdin/translations/bn/lp-forex-ebook.html on line 1578.

public/email/crowdin/translations/bn/lp-forex-ebook.html

+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`
+                        } else {
+                            window.location.href = `/verify-email?email=${email}`


To fix the problem, we need to ensure that the email value is properly encoded before being used in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email address, making it safe to include in a URL.

Locate the line where the URL is constructed with the email value.

Replace the direct usage of email with encodeURIComponent(email) to ensure the email is properly encoded.

This change should be made in the file public/email/crowdin/translations/bn/lp-forex-ebook.html on line 1580.

public/email/crowdin/translations/de/lp-forex-ebook.html

+                    .socketMessageSend(JSON.stringify(data), 'verify_email')
+                    .then(res => {
+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being used in the URL. This can be achieved by using encodeURIComponent to encode the email variable, which will escape any special characters and prevent XSS attacks.

Locate the line where the email variable is used in the URL.

Replace the direct usage of email with encodeURIComponent(email) to ensure it is properly encoded.

public/email/crowdin/translations/es/lp-forex-ebook.html

+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`
+                        } else {
+                            window.location.href = `/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being used in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email address, making it safe to include in a URL.

Locate the line where the email variable is used in the URL.

Replace the direct interpolation of email with encodeURIComponent(email) to ensure the email address is safely encoded.

public/email/crowdin/translations/fr/lp-forex-ebook.html

+                    .socketMessageSend(JSON.stringify(data), 'verify_email')
+                    .then(res => {
+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being used in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email address, making it safe to include in a URL.

Locate the line where the email variable is used in the URL.

Replace the direct usage of email with encodeURIComponent(email) to ensure that the email address is properly encoded.

public/email/crowdin/translations/fr/lp-forex-ebook.html

+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`
+                        } else {
+                            window.location.href = `/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being used in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email address, making it safe to include in a URL.

Locate the line where the URL is constructed with the email variable.

Replace the direct use of email with encodeURIComponent(email) to ensure that any special characters are properly encoded.

This change should be made in the file public/email/crowdin/translations/fr/lp-forex-ebook.html on line 1580.

public/email/crowdin/translations/id/lp-forex-ebook.html

+                    .socketMessageSend(JSON.stringify(data), 'verify_email')
+                    .then(res => {
+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`


To fix the problem, we need to ensure that the email variable is properly encoded before being used in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email address, making it safe to include in a URL.

Replace the usage of the email variable in the URL construction with encodeURIComponent(email).

This change should be made on line 1578 and line 1580 to ensure the email is properly encoded in both cases.

public/email/crowdin/translations/id/lp-forex-ebook.html

+                        if (language && language !== 'en') {
+                            window.location.href = `/${language}/verify-email?email=${email}`
+                        } else {
+                            window.location.href = `/verify-email?email=${email}`


To fix the problem, we need to ensure that the user-provided email is properly encoded before being included in the URL. This can be achieved by using the encodeURIComponent function, which encodes special characters in the email, making it safe to include in a URL.

Replace the direct use of the email variable in the URL with an encoded version using encodeURIComponent.

This change should be made on line 1580 where the URL is constructed.

…l (without photos).docx (Uzbek)

…p.docx (Uzbek)

…cuments.docx (Uzbek)

…ved.docx (Uzbek)

…mit documents.docx (Uzbek)

…docx (Uzbek)

…ied.docx (Uzbek)

…cation failed.docx (Uzbek)

…a.docx (Uzbek)

…odation details.docx (Uzbek)

… (Uzbek)

…nts.docx (Uzbek)

…1.docx (Uzbek)

…odation details.docx (Polish)

…odation details.docx (Portuguese)

… (Polish)

… (Portuguese)

…nts.docx (Polish)

…nts.docx (Portuguese)

…1.docx (Polish)

…1.docx (Portuguese)

… (Arabic)

… (German)

… (Italian)

… (Korean)

… (Mongolian)

… (Polish)

… (Portuguese)

github-advanced-security bot found potential problems Nov 21, 2024

View reviewed changes

github-advanced-security bot found potential problems Jan 24, 2025

View reviewed changes

github-advanced-security bot found potential problems Apr 7, 2025

View reviewed changes

ashkan-deriv added 26 commits April 25, 2025 19:02

New translations real-to-deposit-1.html (Chinese Traditional)

10d956f

New translations payment-vietnam.html (Chinese Simplified)

9e8457c

New translations daily_statement.html (Chinese Simplified)

5643bf1

New translations payment-vietnam.html (Chinese Traditional)

8b53b5a

New translations daily_statement.html (Chinese Traditional)

a9371d7

New translations monthly_statement.html (Chinese Simplified)

c0ab5da

New translations monthly_statement.html (Chinese Traditional)

3d0a379

New translations successful-aff.html (Chinese Simplified)

0fe34a8

New translations successful-aff.html (Chinese Traditional)

f0127a7

New translations newsletter-march.html (Chinese Simplified)

27cf0d6

New translations newsletter-march.html (Chinese Traditional)

a87c8b4

New translations ifx-latam.html (Chinese Simplified)

c6deaab

New translations ifx-latam.html (Chinese Traditional)

4cd0bfe

New translations email 10-1 [template] partner email – thank you emai…

683695d

…l (without photos).docx (Uzbek)

New translations email 2-1 [template] partner email – reminder to rsv…

bb1975f

…p.docx (Uzbek)

New translations email 3 [template] partner email – list of travel do…

d98651e

…cuments.docx (Uzbek)

New translations email 4-1 [template] partner email – documents recei…

d2f9f8c

…ved.docx (Uzbek)

New translations email 4-2 [template] partner email – reminder to sub…

ad54f70

…mit documents.docx (Uzbek)

New translations email 5-1 [template] partner email – invite revoked.…

9374f0b

…docx (Uzbek)

New translations email 5-2 [template] partner email – documents verif…

0eaf8de

…ied.docx (Uzbek)

New translations email 5-3 [template] partner email – document verifi…

0cb5765

…cation failed.docx (Uzbek)

New translations email 7 [template] partner email – details and agend…

d513eb8

…a.docx (Uzbek)

New translations email 8&9 [template] partner email – flight & accomm…

009e3db

…odation details.docx (Uzbek)

New translations email t-1 [template] partner email – if rsvp no.docx…

a31f6ac

… (Uzbek)

New translations removal of usdt tether omni - reminder email to clie…

dd56068

…nts.docx (Uzbek)

New translations [template] - deriv affiliate team - seminar - email …

8d51939

…1.docx (Uzbek)

ashkan-deriv added 30 commits April 25, 2025 20:24

New translations email 8&9 [template] partner email – flight & accomm…

2c4fc01

…odation details.docx (Polish)

New translations email 8&9 [template] partner email – flight & accomm…

df84e7b

…odation details.docx (Portuguese)

New translations email t-1 [template] partner email – if rsvp no.docx…

65230e9

… (Polish)

New translations email t-1 [template] partner email – if rsvp no.docx…

b0cd8f4

… (Portuguese)

New translations removal of usdt tether omni - reminder email to clie…

4e547a5

…nts.docx (Polish)

New translations removal of usdt tether omni - reminder email to clie…

677b6ae

…nts.docx (Portuguese)

New translations [template] - deriv affiliate team - seminar - email …

9497b69

…1.docx (Polish)

New translations [template] - deriv affiliate team - seminar - email …

c8b95db

…1.docx (Portuguese)

New translations [template] affiliate email - invite to seminar .docx…

a7a47a3

… (Arabic)

New translations [template] affiliate email - invite to seminar .docx…

df142e7

… (German)

New translations [template] affiliate email - invite to seminar .docx…

0e60628

… (Italian)

New translations [template] affiliate email - invite to seminar .docx…

0355ba5

… (Korean)

New translations [template] affiliate email - invite to seminar .docx…

2906448

… (Mongolian)

New translations [template] affiliate email - invite to seminar .docx…

ea96e7a

… (Polish)

New translations [template] affiliate email - invite to seminar .docx…

49ada28

… (Portuguese)

New translations high-leverage-trading-forex.html (Portuguese)

5cb8256

New translations newsletter-april.html (Portuguese)

eb515af

New translations high-leverage-trading-forex.html (Spanish)

a0de26f

New translations newsletter-april.html (Spanish)

58f8d1e

New translations newsletter-april.html (Spanish)

f678b1e

New translations high-leverage-trading-forex.html (Arabic)

df308df

New translations newsletter-april.html (Arabic)

8c7b41b

New translations newsletter-april.html (Arabic)

16b9f34

New translations newsletter-april.html (Arabic)

73f1e97

New translations newsletter-april.html (Arabic)

383f5ad

New translations partner-dos-donts-new-disclaimer.html (Spanish)

999c46c

New translations high-leverage-trading-forex.html (French)

20fe4d4

New translations newsletter-april.html (French)

ee99855

New translations partner-dos-donts-new-disclaimer.html (Spanish)

87d1758

New translations high-leverage-trading-forex.html (French)

bd490a2

@@ -490,7 +490,7 @@
                           var CookieStorage = function (cookie_name, cookie_domain = '') {
-                              var hostname = window.location.hostname
-                              var is_deriv_com = hostname.includes('deriv.com')
+                              var hostname = new URL(window.location.href).hostname
+                              var allowedHosts = ['deriv.com', 'www.deriv.com']
+                              var is_deriv_com = allowedHosts.includes(hostname)
                               this.initialized = false
                               this.cookie_name = cookie_name
-                              this.domain = is_deriv_com ? deriv_cookie_domain : cookie_domain || hostname
                               this.path = '/'

@@ -490,4 +490,5 @@
                           var CookieStorage = function (cookie_name, cookie_domain = '') {
-                              var hostname = window.location.hostname
-                              var is_deriv_com = hostname.includes('deriv.com')
+                              var hostname = new URL(window.location.href).hostname
+                              var allowedHosts = ['deriv.com', 'www.deriv.com']
+                              var is_deriv_com = allowedHosts.includes(hostname)
                               this.initialized = false

@@ -490,4 +490,5 @@
                           var CookieStorage = function (cookie_name, cookie_domain = '') {
-                              var hostname = window.location.hostname
-                              var is_deriv_com = hostname.includes('deriv.com')
+                              var hostname = new URL(window.location.href).hostname
+                              var allowedHosts = ['deriv.com', 'beta.deriv.com', 'www.deriv.com']
+                              var is_deriv_com = allowedHosts.includes(hostname)
                               this.initialized = false

@@ -490,4 +490,5 @@
                           var CookieStorage = function (cookie_name, cookie_domain = '') {
-                              var hostname = window.location.hostname
-                              var is_deriv_com = hostname.includes('deriv.com')
+                              var hostname = new URL(window.location.href).hostname
+                              var allowedHosts = ['deriv.com', 'www.deriv.com']
+                              var is_deriv_com = allowedHosts.includes(hostname)
                               this.initialized = false

@@ -490,7 +490,7 @@
                           var CookieStorage = function (cookie_name, cookie_domain = '') {
-                              var hostname = window.location.hostname
-                              var is_deriv_com = hostname.includes('deriv.com')
+                              var hostname = new URL(window.location.href).hostname
+                              var allowedHosts = ['deriv.com', 'beta.deriv.com', 'www.deriv.com']
+                              var is_deriv_com = allowedHosts.includes(hostname)
                               this.initialized = false
                               this.cookie_name = cookie_name
-                              this.domain = is_deriv_com ? deriv_cookie_domain : cookie_domain || hostname
                               this.path = '/'

New Crowdin updates #1694

Are you sure you want to change the base?

New Crowdin updates #1694

Conversation

ashkan-deriv commented Apr 4, 2024

github-actions bot commented Apr 22, 2024 • edited Loading

Dependency Review

OpenSSF Scorecard

Scanned Manifest Files

github-advanced-security bot left a comment

Choose a reason for hiding this comment

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

github-actions bot commented Apr 22, 2024 •

edited

Loading