[wp-trac] [WordPress Trac] #43700: Language switcher on the login screen
WordPress Trac
noreply at wordpress.org
Sun Feb 28 13:37:56 UTC 2021
#43700: Language switcher on the login screen
-------------------------------------------------+-------------------------
Reporter: johnbillion | Owner:
| johnbillion
Type: enhancement | Status: reviewing
Priority: normal | Milestone: Future
| Release
Component: I18N | Version: 4.7
Severity: normal | Resolution:
Keywords: needs-testing needs-refresh needs- | Focuses:
patch | accessibility
-------------------------------------------------+-------------------------
Comment (by tobifjellner):
What languages should be offered in the drop-down?
One way is to offer **any** language that is available for WordPress core.
Upside: Great for a real user who want to log in but doesn't know the main
language of the site.
Downside: An attacker could force the site it to download a lot of
unnecessary language files, using more traffic and storage space.
(Remember that once a certain language is installed, WordPress will
automatically download available translations of these languages for all
installed plugins and themes...
Possible mitigations:
Either only offer languages that are already installed. (If the site uses
English US and no other languages are installed, then the language chooser
should be removed or at least hidden.)
Or prepare a special micro language package that only covers
login/password reset and won't trigger download of any more language files
until the user has authenticated or registered correctly.
Perhaps the choice of approach should be available to the site admin, if
not as a setting, then via filter or a constant.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43700#comment:38>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list