From 0f9a0e8fb311f3a796b7590b935dae2e372dc1e8 Mon Sep 17 00:00:00 2001
From: Asher <ash@coder.com>
Date: Wed, 16 Jul 2025 18:07:27 -0800
Subject: [PATCH] Revert escaping for i18n strings

Looks like the library already escapes, so we were getting double
escaping.
---
 src/node/routes/login.ts | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
index 511d48174..7a8bb5134 100644
--- a/src/node/routes/login.ts
+++ b/src/node/routes/login.ts
@@ -31,7 +31,7 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {
   const locale = req.args["locale"] || "en"
   i18n.changeLanguage(locale)
   const appName = req.args["app-name"] || "code-server"
-  const welcomeText = escapeHtml(req.args["welcome-text"] || (i18n.t("WELCOME", { app: appName }) as string))
+  const welcomeText = req.args["welcome-text"] || (i18n.t("WELCOME", { app: appName }) as string)
 
   // Determine password message using i18n
   let passwordMsg = i18n.t("LOGIN_PASSWORD", { configFile: req.args.config })
@@ -40,23 +40,16 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {
   } else if (req.args.usingEnvHashedPassword) {
     passwordMsg = i18n.t("LOGIN_USING_HASHED_PASSWORD")
   }
-  passwordMsg = escapeHtml(passwordMsg)
-
-  // Get messages from i18n (with HTML escaping for security)
-  const loginTitle = escapeHtml(i18n.t("LOGIN_TITLE", { app: appName }))
-  const loginBelow = escapeHtml(i18n.t("LOGIN_BELOW"))
-  const passwordPlaceholder = escapeHtml(i18n.t("PASSWORD_PLACEHOLDER"))
-  const submitText = escapeHtml(i18n.t("SUBMIT"))
 
   return replaceTemplates(
     req,
     content
-      .replace(/{{I18N_LOGIN_TITLE}}/g, loginTitle)
+      .replace(/{{I18N_LOGIN_TITLE}}/g, i18n.t("LOGIN_TITLE", { app: appName }))
       .replace(/{{WELCOME_TEXT}}/g, welcomeText)
       .replace(/{{PASSWORD_MSG}}/g, passwordMsg)
-      .replace(/{{I18N_LOGIN_BELOW}}/g, loginBelow)
-      .replace(/{{I18N_PASSWORD_PLACEHOLDER}}/g, passwordPlaceholder)
-      .replace(/{{I18N_SUBMIT}}/g, submitText)
+      .replace(/{{I18N_LOGIN_BELOW}}/g, i18n.t("LOGIN_BELOW"))
+      .replace(/{{I18N_PASSWORD_PLACEHOLDER}}/g, i18n.t("PASSWORD_PLACEHOLDER"))
+      .replace(/{{I18N_SUBMIT}}/g, i18n.t("SUBMIT"))
       .replace(/{{ERROR}}/, error ? `<div class="error">${escapeHtml(error.message)}</div>` : ""),
   )
 }