[wp-trac] [WordPress Trac] #37191: i18n request: Escaping single and plural form translated text

WordPress Trac noreply at wordpress.org
Fri Aug 26 17:36:43 UTC 2016 

#37191: i18n request: Escaping single and plural form translated text
-----------------------------+--------------------------
 Reporter:  henry.wright     |       Owner:  johnbillion
     Type:  feature request  |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  I18N             |     Version:  4.5.3
 Severity:  normal           |  Resolution:  wontfix
 Keywords:  has-patch        |     Focuses:
-----------------------------+--------------------------
Changes (by johnbillion):

 * status:  reviewing => closed
 * resolution:   => wontfix
 * milestone:  4.7 =>


Comment:

 I was originally in favour of these functions, but after giving it more
 thought I'm going to close this ticket as wontfix.

 The reason is that the return value of the `_n` family of functions is
 almost always used as the `$format` parameter in `printf()` or `sprintf()`
 due to the fact the functions return the singular or plural form of a
 string, and therefore almost always contain a `%s` placeholder to
 represent the number. This means if you want to use the return value of
 `_n()` in an HTML attribute, you need to wrap the return value of
 `sprintf()` in `esc_attr()`.

 This means `esc_attr_n()` would never be an appropriate function to use,
 without also wrapping the resulting text in `esc_attr()` after the
 placeholder replacement.

 Here's an example which demonstrates how these functions could
 inadvertently mask un-escaped input if they were introduced:

 {{{#!php
 $count = $_GET['count'];
 printf( esc_html_n( 'Single: %s', 'Plural: %s', $count ), $count );
 }}}

 In the above, it might look at first glance like this text is safely
 escaped for output, but it's not. The value of `$_GET['count']` is not
 escaped. The correct usage is:

 {{{#!php
 $count = $_GET['count'];
 echo esc_html( sprintf( _n( 'Single: %s', 'Plural: %s', $count ), $count )
 );
 }}}

 Granted, the same problem affects `esc_html__()` too, but that function is
 often used without placeholders in its text, where it's safe. The `_n`
 functions are almost exclusively used with placeholders in their text.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37191#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list