Make WordPress Core

Opened 17 months ago

Last modified 17 months ago

#57049 new defect (bug)

Make the use (or non-use) of `esc_url()` more consistent for translated URLs

Reported by: desrosj's profile desrosj Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: I18N Keywords: 2nd-opinion
Focuses: Cc:


There are currently 122 instances of __( 'https:// in Core (excluding those within bundled themes). Of those, 24 are passed through esc_url().

The general rule is that default translations representing Core are considered trusted. Following that rule, unfiltered URLs that are translated don't need to be passed through esc_url(), though it's unclear if URLs should be considered an exception.

This should be clarified in the handbook (I couldn't find where "core translations are trusted" is detailed) and made consistent across the code base.

Change History (2)

This ticket was mentioned in Slack in #core-test by ironprogrammer. View the logs.

17 months ago

#2 @ironprogrammer
17 months ago

  • Component changed from General to I18N
  • Keywords 2nd-opinion added

Thanks for the report and suggestion to clarify documentation, @desrosj!

During test triage, the following questions came up that are pertinent to this discussion, and may contribute toward eventual handbook updates:

  • What is the process for, and who decides if a translation is safe?
  • Does the translation submission and/or approval process involve sanitizing URLs?

Adding 2nd-opinion to help move this discussion forward.

Note: See TracTickets for help on using tickets.