{"id":15298,"date":"2015-04-09T19:13:43","date_gmt":"2015-04-09T19:13:43","guid":{"rendered":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/http\/developer.wordpress.org\/?post_type=plugin-handbook&p=15298"},"modified":"2022-11-17T06:09:02","modified_gmt":"2022-11-17T06:09:02","slug":"security","status":"publish","type":"plugin-handbook","link":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/plugins\/internationalization\/security\/","title":{"rendered":"Internationalization Security"},"content":{"rendered":"\n

Security is often overlooked when talking about internationalization, but there are a few important things to keep in mind.<\/p>\n\n\n\n

Check for Spam and Other Malicious Strings<\/h3>\n\n\n\n

When a translator submits a localization to you, always check to make sure they didn\u2019t include spam or other malicious words in their translation. You can use Google Translate<\/a> to translate their translation back into your native language so that you can easily compare the original and translated strings.<\/p>\n\n\n\n

Escape Internationalized Strings<\/h3>\n\n\n\n

You can’t trust that a translator will only add benign text to their localization; if they want to, they could add malicious JavaScript or other code instead. To protect against that, it’s important to treat internationalized strings like you would any other untrusted input.<\/p>\n\n\n\n

If you’re outputting the strings, then they should be escaped.<\/p>\n\n\n\n

Insecure:<\/span><\/p>\n\n\n\n

_e( 'The REST API content endpoints were added in WordPress 4.7.', 'your-text-domain' ); <\/code><\/pre>\n\n\n\n
Secure:<\/span><\/p>\n\n\n\n
esc_html_e( 'The REST API content endpoints were added in WordPress 4.7.', 'your-text-domain' );<\/code><\/pre>\n\n\n\n
Alternatively, some people choose to rely on a translation verification mechanism, rather than adding escaping to their code. One example of a verification mechanism is the editor roles<\/a> that the WordPress Polyglots team uses for translate.wordpress.org<\/a>. This ensures that any translation submitted by an untrusted contributor has been verified by a trusted editor before being accepted.<\/p>\n\n\n\n
Use Placeholders for URLs<\/h3>\n\n\n\n
Don\u2019t include URLs in internationalized strings, because a malicious translator could change them to point to a different URL. Instead, use placeholders for printf()<\/a> or sprintf()<\/a>.<\/p>\n\n\n\n
Insecure:<\/span><\/p>\n\n\n\n
_e(\n\t'Please <a href=\"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/login.wordpress.org\/register\"> register for a WordPress.org account<\/a>.',\n\t'your-text-domain'\n);<\/code><\/pre>\n\n\n\n
Secure:<\/span><\/p>\n\n\n\n
printf(\n\tesc_html__( 'Please %1$s register for a WordPress.org account %2$s.', 'your-text-domain' ),\n\t'<a href=\"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/login.wordpress.org\/register\">',\n\t'<\/a>'\n);<\/code><\/pre>\n\n\n\n
Compile Your Own .mo Binaries<\/h3>\n\n\n\n
Often translators will send the compiled .mo file along with the plaintext .po file, but you should discard their .mo file and compile your own, because you have no way of knowing whether or not it was compiled from the corresponding .po file, or a different one. If it was compiled against a different one, then it could contain spam and other malicious strings without your knowledge.<\/p>\n\n\n\n
Using PoEdit to generate the binary will override the headers in the .po file, so instead it\u2019s better to compile it from the command line:<\/p>\n\n\n\n
msgfmt -cv -o \/path\/to\/output.mo \/path\/to\/input.po<\/code><\/pre>\n","protected":false},"author":6250429,"featured_media":0,"parent":11173,"menu_order":0,"template":"","meta":{"footnotes":""},"class_list":["post-15298","plugin-handbook","type-plugin-handbook","status-publish","hentry","type-handbook"],"revision_note":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/plugin-handbook\/15298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/plugin-handbook"}],"about":[{"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/types\/plugin-handbook"}],"author":[{"embeddable":true,"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/users\/6250429"}],"version-history":[{"count":12,"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/plugin-handbook\/15298\/revisions"}],"predecessor-version":[{"id":144345,"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/plugin-handbook\/15298\/revisions\/144345"}],"up":[{"embeddable":true,"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/plugin-handbook\/11173"}],"wp:attachment":[{"href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/developer.wordpress.org\/wp-json\/wp\/v2\/media?parent=15298"}],"curies":[{"name":"wp","href":"https:\/\/blue-sea-697d.quartiers047.workers.dev:443\/https\/api.w.org\/{rel}","templated":true}]}}