#30724 closed defect (bug) (fixed)
Twenty Fifteen: Unnecessary use of esc_html()
Reported by: | ocean90 | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.1 | Priority: | high |
Severity: | normal | Version: | |
Component: | Bundled Theme | Keywords: | has-patch commit fixed-major |
Focuses: | Cc: |
Description
Since #30651 I had the attached patch on my disk but never created a ticket, until now. Will do a refresh in the next hours.
Attachments (2)
Change History (30)
#9
@
10 years ago
Is there anywhere a clear guidance for the theme developers on when to use escaping?
I follow the development of _s and default WP themes to make my themes better and recently in Twenty Fifteen and _s there was escaping promoted. Now, when I applied those changes to my theme I will have to revert :-/
Is there any harm for having escaping in place?
#10
in reply to:
↑ 8
;
follow-up:
↓ 11
@
10 years ago
Replying to adamsilverstein:
@ocean90: I'm curious about your removal of escaping from translations - can you briefly explain/point me to the the logic?
That's simple. If we don't trust translations anymore we should do it directly in the function. function __() { return esc_html(…
.
Replying to TomasM:
I follow the development of _s and default WP themes to make my themes better and recently in Twenty Fifteen and _s there was escaping promoted. Now, when I applied those changes to my theme I will have to revert :-/
That over-escaping seems to come from .com which is something I (and nacin, I talked with him before this ticket) don't want to support, especially not for a default theme where we have a type of review process for translations.
Is there any harm for having escaping in place?
No harm.
BTW: Twenty Fifteen wasn't even consistent with this.
#11
in reply to:
↑ 10
@
10 years ago
Thanks for the clarification, much appreciated. [edited for brevity]
#12
follow-up:
↓ 13
@
10 years ago
One problem with not escaping translations is that some plugins that filter translations will allow end users to push translations in the back end.
Depending on where these go they can break the code because characters are not escaped properly and the end users doing the translations won't understand what broke.
This doesn't even take under account that you may not be able to trust the end users doing the translations.
I feel that escaping protects against user error and potentially malicious users especially with translation plugins with little cost / negative repercussions.
Thanks!
#13
in reply to:
↑ 12
@
10 years ago
Replying to sboisvert:
This doesn't even take under account that you may not be able to trust the end users doing the translations.
Translations are inherently trusted. The __()
family of functions are used thousands of times and they don't escape output. If we're not trusting translations then we have a big problem.
#14
@
10 years ago
- Owner changed from ocean90 to johnbillion
- Status changed from accepted to assigned
#15
@
10 years ago
I support all changes here. What _s
does has been dictated by Automattic's zealous escaping rules for VIPs and http://theme.wordpress.com/join/. It is not dictated by general best practices.
This ticket was mentioned in Slack in #core-themes by ocean90. View the logs.
9 years ago
This ticket was mentioned in Slack in #core-themes by philip. View the logs.
9 years ago
This ticket was mentioned in Slack in #themereview by emiluzelac. View the logs.
9 years ago
This ticket was mentioned in Slack in #themereview by rabmalin. View the logs.
9 years ago
This ticket was mentioned in Slack in #themereview by rabmalin. View the logs.
8 years ago
This ticket was mentioned in Slack in #themereview by rabmalin. View the logs.
8 years ago
This ticket was mentioned in Slack in #themereview by greenshady. View the logs.
7 years ago
This ticket was mentioned in Slack in #themereview by emiluzelac. View the logs.
7 years ago
#27
@
5 years ago
There is a case for arguing that, while we can trust the translation system to not do bad things, other languages may contain entities that we do not expect to be there and as such escaping them is still a valuable thing.
In 30896: