Opened 22 months ago
Last modified 22 months ago
#57049 new defect (bug)
Make the use (or non-use) of `esc_url()` more consistent for translated URLs
Reported by: | desrosj | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | I18N | Keywords: | 2nd-opinion |
Focuses: | Cc: |
Description
There are currently 122 instances of __( 'https://
in Core (excluding those within bundled themes). Of those, 24 are passed through esc_url()
.
The general rule is that default translations representing Core are considered trusted. Following that rule, unfiltered URLs that are translated don't need to be passed through esc_url()
, though it's unclear if URLs should be considered an exception.
This should be clarified in the handbook (I couldn't find where "core translations are trusted" is detailed) and made consistent across the code base.
Change History (2)
Note: See
TracTickets for help on using
tickets.
Thanks for the report and suggestion to clarify documentation, @desrosj!
During test triage, the following questions came up that are pertinent to this discussion, and may contribute toward eventual handbook updates:
Adding
2nd-opinion
to help move this discussion forward.