[wp-trac] [WordPress Trac] #32233: Improve escaping in /wp-admin/includes/template.php

Sat May 2 17:12:24 UTC 2015

#32233: Improve escaping in /wp-admin/includes/template.php
-------------------------------------+------------------------------
 Reporter:  McGuive7                 |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Administration           |     Version:  trunk
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:  administration
-------------------------------------+------------------------------

Comment (by McGuive7):

 Aha, I see that I was incorrectly using `esc_html_e()` for variables, when
 it is indeed a gettext function. I can fix that for sure.

 On another point, I'm confused. You say that `esc_html_e()` should only be
 used for translatable strings, and then you go on to say translations
 should be considered safe - which to me means that they don't need
 escaping. If they are safe, and never need escaping, then why does a
 function like `esc_html__()` or `esc_html_e()` exist? Can you clarify on
 this one?

 I've actually had quite a bit of general confusion on what to escape and
 what not to escape. Up until recently, I had assumed that there was no
 need to escape translations, as the translator should ensure that they are
 safe, right? But then I recently received a PR on one of my projects
 stating the following as a reason for escaping translations:

 > In this case there might be code injections in translation files. There
 are some plugins that allow you to translate in-plugin text directly from
 WP admin and so on. You can't rely on what might happen and what new ways
 of translation or code injections might come up.

 Additionally, when I dig into WP core, there are plenty of examples of
 escaping translatable strings using `esc_html_e()` and `esc_attr_e()`.
 That said, I've also come a cross many instances in which translatable
 strings aren't escaped - here are a few examples:

 '''/wp-admin/custom-header.php''' (extra odd because it includes markup)
 {{{
 echo __( '<strong>Random:</strong> Show a different image on each page.'
 );
 }}}

 '''/wp-admin/network/users.php'''
 {{{
 echo __( 'Attribute all content to:' )
 }}}

 '''/wp-admin/includes/class-wp-posts-list-table.php```
 {{{
 echo __( '–OR–' );
 }}}

 Additionally, this thread on the _s repo seems to indicate that
 translatable strings are ''not'' always safe, as plugins can allow users
 to include potentially malicious translations:
 [https://github.com/Automattic/_s/issues/231]

 Anyhow, thanks for the feedback - any further clarification would be
 awesome. Thanks!

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32233#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform