What harm could happen if I didn't use the wp_kses function when using HTML links within translatable string?
I know what this function do but what I don't understand is why and when should I implement this function? Specially with translatable strings.
Add a comment
|
1 Answer
It basically depends on who is doing the translation and how trusted can he be as if you will not filter things out the translator can add JS code, still cookies and whatever.
In most of the places translation is done you will have in any case a call to esc_html or esc_attr which will mitigate the problem, but obviously if you need an actual link, you can not use those functions. The use of wp_kses just makes sure there are no surprises in the translation.
For example, there is nothing that prevent a translator from translating __('Hi there) into Hi there <script>alert('evil laugh')</script>. translations are never verified to not include such type of things when they are submitted by translators, and while the example is easy to catch, it might be possible to do more complex things that are harder to spot.
answered May 13, 2017 at 14:37
-
Thanks for your answer.. and this is axactly what I need to know.. what kind of surprise that could happen.. I need a before and after example if it is possible please Commented May 13, 2017 at 14:40
-
-
Please be patient and consider I am a beginner.. I need a low low level discussion... how the translator would add those harmful codes? And what do you mean by the translator ? A person or translation tools like poedit Commented May 13, 2017 at 14:48
-
I mean the person doing the translation, and there is nothing comlex he will just add that JS code the same way he uses poedit to translate all strings Commented May 13, 2017 at 14:50
-
Ahaaa..so when he translate he may inject codes with the translation itself so when loading the theme/plugin the code runs and do staff.isn't it? Commented May 13, 2017 at 14:54