[wp-trac] [WordPress Trac] #62643: Prevent errors from `printf()` and `sprintf()` calls

WordPress Trac noreply at wordpress.org
Wed Dec 4 14:42:51 UTC 2024 

#62643: Prevent errors from `printf()` and `sprintf()` calls
-------------------------+------------------------------
 Reporter:  grapestain   |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  I18N         |     Version:
 Severity:  normal       |  Resolution:
 Keywords:  2nd-opinion  |     Focuses:
-------------------------+------------------------------

Comment (by grapestain):

 Well, I'm definitely not suggesting hiding errors, but fatal errors may be
 still a bit too harsh. I'm just thinking this need to be reconsidered
 because obviously any decision regarding the translation system was made
 before PHP v8.0, so there's a chance that assumptions made back than would
 not hold up any more.

 But I get it what you mean, like if a sneaky translator can add a chunk of
 JavaScript to e.g. trigger an XSS why would WP not trust the translations
 for correctness? One argument for that is adding an attack vector to a
 translation cannot happen by accident, but crashing thousands of WP sites
 by adding an extra placeholder can happen by honest mistake, so they are
 not the same.

 In other words when you say trust there's two aspect to that: security and
 quality. And while the circumstances for evaluating the trust for security
 are probably the same as when the decision was originally made, the
 circumstances regarding the trust for quality are significantly different
 prior and from PHP v8.0, since what used to be an innocent warning is not
 a fatal error.

 Obviously my case was rather mundane as the about page is not mission
 critical, but the same could happen for any customer facing page, like a
 checkout page for a popular webshop engine or the login page for the admin
 UI. Such issues would hurt WordPress's reputation on top of causing large
 scale stress and financial losses.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62643#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list