Opened 9 years ago
Closed 9 years ago
#6656 closed enhancement (no action required)
escape translations
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | I18N | Keywords: | |
| Cc: |
Description
I'm proposing that for 2.5 onwards, we treat all (new) translations as untrusted from now on.
For BuddyPress, we've always known who the translator validators are, because it's the same people who do that for WordPress, and we have a lot of trust and faith and appreciation in them.
Now that other plugins are on the WordPress.org translation platform, and that each plugin can have its own validators added for a specific language without any further community oversight, the risk of someone sneaking something mischievous into any plugin (via a bad translation) is higher. Certainly for any new plugins that I write, the translations will be escaped to cover this -- just in case.
As I don't think BuddyPress should exist on an island by itself when it comes to best practices, and because I think we are able to (and should) contribute to a mindset shift in the plugin community, I'm suggesting we gradually introduce escaping into BuddyPress strings from 2.5 onwards. For example, replacing _e with esc_html_e, and so on.
Change History (7)
#2
in reply to:
↑ description
@
9 years ago
Replying to DJPaul:
Now that other plugins are on the WordPress.org translation platform, and that each plugin can have its own validators added for a specific language without any further community oversight, the risk of someone sneaking something mischievous into any plugin (via a bad translation) is higher.
It should be noted that plugin authors cannot add validators themselves, the process still requires an action from global translation editors for the locale.
All translation warnings (extra tags, etc.) are logged into #polyglots-warnings Slack channel and reviewed.
It's a very good idea!
I can help with the code and the patches.