#37191 closed feature request (wontfix)
i18n request: Escaping single and plural form translated text
Reported by: | henry.wright | Owned by: | johnbillion |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.5.3 |
Component: | I18N | Keywords: | has-patch |
Focuses: | Cc: |
Description
I noticed there's esc_html_e()
and esc_attr_e()
which can be used in place of _e()
to escape the translated text string.
Can esc_attr_n()
and esc_attr_n()
functions be made to help us escape singular and plural translated text?
Attachments (3)
Change History (12)
#3
@
8 years ago
+1 for this!
Shouldn't we adjust the patch to pass $default
, rather than $default = 'default'
to the _n()
inside the functions?
#6
@
8 years ago
- Milestone changed from Awaiting Review to 4.7
- Owner set to johnbillion
- Status changed from new to reviewing
#7
@
8 years ago
- Milestone 4.7 deleted
- Resolution set to wontfix
- Status changed from reviewing to closed
I was originally in favour of these functions, but after giving it more thought I'm going to close this ticket as wontfix.
The reason is that the return value of the _n
family of functions is almost always used as the $format
parameter in printf()
or sprintf()
due to the fact the functions return the singular or plural form of a string, and therefore almost always contain a %s
placeholder to represent the number. This means if you want to use the return value of _n()
in an HTML attribute, you need to wrap the return value of sprintf()
in esc_attr()
.
This means esc_attr_n()
would never be an appropriate function to use, without also wrapping the resulting text in esc_attr()
after the placeholder replacement.
Here's an example which demonstrates how these functions could inadvertently mask un-escaped input if they were introduced:
$count = $_GET['count'];
printf( esc_html_n( 'Single: %s', 'Plural: %s', $count ), $count );
In the above, it might look at first glance like this text is safely escaped for output, but it's not. The value of $_GET['count']
is not escaped. The correct usage is:
$count = $_GET['count'];
echo esc_html( sprintf( _n( 'Single: %s', 'Plural: %s', $count ), $count ) );
Granted, the same problem affects esc_html__()
too, but that function is often used without placeholders in its text, where it's safe. The _n
functions are almost exclusively used with placeholders in their text.
#8
@
8 years ago
The reason is that the return value of the _n family of functions is almost always used as the $format parameter in printf() or sprintf()
That makes sense. I can't think of a time when I've used the _n fam without sprintf or printf.
37191.diff introduces two new functions:
esc_html_n()
esc_attr_n()
Each just escapes the string returned by
_n()
for safe output.