Make WordPress Core

Opened 2 years ago

Last modified 4 weeks ago

#57049 new defect (bug)

Make the use (or non-use) of `esc_url()` more consistent for translated URLs

Reported by: desrosj's profile desrosj Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: I18N Keywords: 2nd-opinion
Focuses: Cc:

Description

There are currently 122 instances of __( 'https:// in Core (excluding those within bundled themes). Of those, 24 are passed through esc_url().

The general rule is that default translations representing Core are considered trusted. Following that rule, unfiltered URLs that are translated don't need to be passed through esc_url(), though it's unclear if URLs should be considered an exception.

This should be clarified in the handbook (I couldn't find where "core translations are trusted" is detailed) and made consistent across the code base.

Change History (3)

This ticket was mentioned in Slack in #core-test by ironprogrammer. View the logs.


2 years ago

#2 @ironprogrammer
2 years ago

  • Component changed from General to I18N
  • Keywords 2nd-opinion added

Thanks for the report and suggestion to clarify documentation, @desrosj!

During test triage, the following questions came up that are pertinent to this discussion, and may contribute toward eventual handbook updates:

  • What is the process for, and who decides if a translation is safe?
  • Does the translation submission and/or approval process involve sanitizing URLs?

Adding 2nd-opinion to help move this discussion forward.

#3 @swissspidy
4 weeks ago

  • Milestone changed from Awaiting Review to Future Release

What is the process for, and who decides if a translation is safe?
Does the translation submission and/or approval process involve sanitizing URLs?

The translation system (powered by GlotPress) has some basic validation in place for things like markup or URLs.

Translators are implicitly trusted to not put any malicious things into their translations. make/polyglots have a hierarchy system of translators (GTEs, PTEs, etc.).

This should be clarified in the handbook (I couldn't find where "core translations are trusted" is detailed) and made consistent across the code base.

+1

Note: See TracTickets for help on using tickets.