Difference between Angular Translate's useSanitizeValueStrategy('sanitize') vs. useSanitizeValueStrategy('sanitizeParameters')

Question

I am using angular-translate for localization and I'm a little unclear on the differences between the 'sanitize' and 'sanitizeParameters' strategies for escaping.

I've already checked out the docs but I still don't understand what "sanitize HTML in the translation text" means vs "sanitizes HTML in the values". Is one less secure than the other?

If it is only sanitizing the HTML in the values of the interpolation parameter, is it not thoroughly sanitizing the content? The only differences I can see is that 'sanitizeParamters' will escape html when using a filter, while 'sanitize' does not. I can't use the 'sanitize' strategy because of the utf8 issue addressed here, so I want to make sure using 'sanitizeParameters' is a secure strategy.

Answer 1

I took a look directly in the official angular source file ‘angular-translate.js’ and determined the following

• sanitize - Sanitizes the complete translation including all parameters
• sanitizeParameters -> Sanitizes only the parameters

The same logic applies for both escape and escapeParameters.

Note: Strategies can be combined ie.

$translateProvider.useSanitizeValueStrategy(['sanitize', 'escapeParameters']);