[wp-trac] [WordPress Trac] #43147: Introduce `esc_html_comment` and translation related functions
WordPress Trac
noreply at wordpress.org
Thu Jan 25 00:11:14 UTC 2018
#43147: Introduce `esc_html_comment` and translation related functions
-------------------------------------------------+-------------------------
Reporter: jipmoors | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Formatting | Review
Severity: normal | Version: trunk
Keywords: has-patch has-unit-tests 2nd- | Resolution:
opinion | Focuses:
-------------------------------------------------+-------------------------
Comment (by dd32):
Replying to [comment:5 schlessera]:
> @dd32 I personally never trust the translations, because they are
outside of a developer's control.
While that's your preference, WordPress itself trusts it's translations
from translate.wordpress.org, and suggest that if you're running other
translations you need to trust the source of those strings. If you're
unable to trust them, you've got potentially larger issues than random
extra html tags in said strings, and you should probably review them
before shipping them out.
> When you say "WordPress also trusts translations inherently", do you
have something definitive you can point me to? I tried to read up on it,
but all I found was (mostly implicit) recommendations to escape anything
that will be rendered into HTML.
https://core.trac.wordpress.org/ticket/30724 is probably the best
reference I have right now.
Unfortunately most references, such as the codex, have been updated to
suggest escaping everything or running it through kses, even though it's
not recommended or suggested as required by core. Unfortunately a certain
PHPCS ruleset suggested escaping everything at some point and went against
cores implicit "we trust translation strings".
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43147#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list