Opened 6 years ago
Closed 4 weeks ago
#44637 closed defect (bug) (wontfix)
Escape strings in wp-admin/themes.php
Reported by: | milana_cap | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch reporter-feedback |
Focuses: | coding-standards | Cc: |
Description
A lot of translatable strings are not escaped.
Attachments (1)
Change History (5)
#3
@
6 years ago
Hi @SergeyBiryukov,
Thank you for prompt reply. I understand the "trusted" aspect and I apologise for re-opening the discussion.
However, being a developer who often looks into core in order to learn best practice, I find it rather frustrating that examples of good escaping are missing. And this is not something trivial, this is important security matter about which developers have nowhere to learn from. DevHub does explain things in theory and have a few examples but that doesn't cover every situation (like few strings in this file I didn't know how to escape and couldn't find examples anywhere).
If the best practice for WordPress code is not in WordPress core then where should it be?
#4
@
4 weeks ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
I'll close this off because the current approach is that translated strings are considered trusted. If that changes in the future then it'll need a concerted effort to deal with all strings in the codebase.
Hi @milana_cap, thanks for the ticket!
Could you clarify why these strings should be escaped? Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724.
Related: #32233