Allow class attribute for tags within translations.

[poscar]

This adds 'class' attribute to be used in tags within translations.

One useful usecase allowed by this change is to be able to specify font awesome icons within a string. This is done by just inserting within the string in the l20n file.

This pull request is against master, there was previous discussion to allow this feature in pull request #111

[poscar]

@stasm Any chance of merging this one?

[zbraniecki]

I'm still torn about this proposal. It opens up a new attack vector where a localization file may include a localizable element into a selector that gets bind to an action, which is scary.

For example, imagine code that does $(".remove-all").click(doRemoveEverything); and then a localizer assigns remove-all class to an element with label Do Nothing.

That's scary.

[poscar]

Don't think this counts as an attack vector. This sounds more like a bug introduced by the localizer (specifying a remove-all class on a 'Do Nothing' label).

We must assume localizers writing l20n files are trusted, just like the developers writing javascript.

I'd say l20n files and js files are in the same trust scope. both malicious js and malicious l20n can cause damage.