Make WordPress Core

Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#61065 closed enhancement (wontfix)

Ensure URLs are not translated to maintain security and accuracy in localization

Reported by: akshayshah5189's profile akshay.shah5189 Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.5
Component: I18N Keywords:
Focuses: Cc:

Description

While reviewing various parts of the WordPress code and community-contributed themes/plugins, I have noticed instances where URLs are passed into translation functions such as (). This practice can lead to several issues:

Localization Problems: URLs should remain constant across all languages. Translating them could lead to broken links if translators inadvertently change the URL structure.
Security Concerns: Translating URLs might expose the site to manipulation if the translation files are compromised.
Performance Overhead: Including URLs in translatable strings increases the complexity and size of translation files unnecessarily.

Recently, I found this in wp-admin/credits.php at line no 48

below code is mentioned there

<p>
	<?php
	printf(
		/* translators: 1: https://wordpress.org/about/ */
		__( 'WordPress is created by a <a href="%1$s">worldwide team</a> of passionate individuals.' ),
		__( 'https://wordpress.org/about/' )
	);
	?>
	<br />
	<a href="<?php echo esc_url( __( 'https://make.wordpress.org/contribute/' ) ); ?>"><?php _e( 'Get involved in WordPress.' ); ?></a>
</p>

According to me right code is as below

<p>
    <?php
    printf(
        __( 'WordPress is created by a <a href="%s">worldwide team</a> of passionate individuals.' ),
        esc_url( 'https://wordpress.org/about/' )
    );
    ?>
    <br />
    <a href="<?php echo esc_url( 'https://make.wordpress.org/contribute/' ); ?>"><?php _e( 'Get involved in WordPress.' ); ?></a>
</p>

Change History (2)

#1 @swissspidy
9 months ago

  • Keywords i18n security urls translation removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hi there and welcome to WordPress Trac!

The reason all of these URLs are translatable is because these pages are available in many different locales.

For example, the de_DE version of https://wordpress.org/about/ can be found at https://de.wordpress.org/about/.

It's important for de_DE users to have links to de_DE pages, not just the default en_US page.

Localization Problems: URLs should remain constant across all languages. Translating them could lead to broken links if translators inadvertently change the URL structure.

As per my example above, URLs can and will be different depending on the locale, that's why they need to be translatable.

Security Concerns: Translating URLs might expose the site to manipulation if the translation files are compromised.

If your files are compromised then you have bigger problems, as a malicious actor could just change any of the translated strings.

WordPress trusts translations coming from translate.wordpress.org, which is why translations are not escaped or anything. It also trusts translators to put in the correct URLs when translating those.

Performance Overhead: Including URLs in translatable strings increases the complexity and size of translation files unnecessarily.

There is really no overhead because of a few more translatable strings. It does not make a difference.

#2 @akshay.shah5189
9 months ago

Hey @swissspidy

Thank you for the detailed explanation and warm welcome to WordPress Trac!

I appreciate the insights on localizing URLs to ensure users are directed to the appropriate localized pages. It makes sense that each locale might have specific versions of a page, and maintaining these distinctions in translations is crucial.

I understand that the performance impact of translating a few URLs is minimal. I appreciate you clarifying this point.

I’m looking forward to learning more and contributing further to the WordPress community. Thank you for taking the time to address my concerns.

Note: See TracTickets for help on using tickets.