Opened 2 years ago
Last modified 4 weeks ago
#57049 new defect (bug)
Make the use (or non-use) of `esc_url()` more consistent for translated URLs
Reported by: | desrosj | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | I18N | Keywords: | 2nd-opinion |
Focuses: | Cc: |
Description
There are currently 122 instances of __( 'https://
in Core (excluding those within bundled themes). Of those, 24 are passed through esc_url()
.
The general rule is that default translations representing Core are considered trusted. Following that rule, unfiltered URLs that are translated don't need to be passed through esc_url()
, though it's unclear if URLs should be considered an exception.
This should be clarified in the handbook (I couldn't find where "core translations are trusted" is detailed) and made consistent across the code base.
Change History (3)
This ticket was mentioned in Slack in #core-test by ironprogrammer. View the logs.
2 years ago
#3
@
4 weeks ago
- Milestone changed from Awaiting Review to Future Release
What is the process for, and who decides if a translation is safe?
Does the translation submission and/or approval process involve sanitizing URLs?
The translation system (powered by GlotPress) has some basic validation in place for things like markup or URLs.
Translators are implicitly trusted to not put any malicious things into their translations. make/polyglots have a hierarchy system of translators (GTEs, PTEs, etc.).
This should be clarified in the handbook (I couldn't find where "core translations are trusted" is detailed) and made consistent across the code base.
+1
Thanks for the report and suggestion to clarify documentation, @desrosj!
During test triage, the following questions came up that are pertinent to this discussion, and may contribute toward eventual handbook updates:
Adding
2nd-opinion
to help move this discussion forward.