[wp-hackers] Potential (security) issue with Twenty Ten?

Bjorn Wijers burobjorn at gmail.com
Sat Jan 8 13:08:48 UTC 2011


Peter & Mike,

Thanks for clearing this up. Next time when I suspect a security issue 
I'll contact and use the appropriate channels.

@Peter: out of curiosity: could you give an example when gettext does 
not provide a solution and an extra php file is needed?


met vriendelijke groet,
Bjorn Wijers

* b u r o b j o r n .nl *
digitaal vakmanschap | digital craftsmanship

Werkdagen:
Van maandag t/m donderdag vanaf 10:00
Vrijdag is voor experimenteren en eigen projecten.

Concordiastraat 68-126
3551 EM Utrecht
The Netherlands

tel: +31 6 49 74 78 70
http://www.burobjorn.nl

On 01/06/2011 12:26 PM, Bjorn Wijers wrote:
> Hi,
>
> Not sure if this is the right place to discuss this, so please point me
> in the right direction if this should be discussed somewhere else...
>
> I was looking at Twenty Ten and noticed this piece of code below the
> theme textdomain loading in the functions.php:
>
> 91 load_theme_textdomain( 'twentyten', TEMPLATEPATH . '/languages' );
> 92
> 93 $locale = get_locale();
> 94 $locale_file = TEMPLATEPATH . "/languages/$locale.php";
> 95 if ( is_readable( $locale_file ) )
> 96 require_once( $locale_file );
>
> Source:
> http://core.trac.wordpress.org/browser/trunk/wp-content/themes/twentyten/functions.php
>
>
> I do not understand why after loading the theme's translations files
> another file ($locale.php) is included. Also the $locale, as far as I
> can see although I haven't dived into it, does not get escaped. Somehow
> this looks kinda funky.
>
> Can somebody explain why this of code is included in Twenty Ten? And why
> this is used after already loading the translations using
> load_theme_textdomain() function.
>
> grtz
> BjornW
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> (http://core.trac.wordpress.org/browser/trunk/wp-content/themes/twentyten/functions.php#L93
>
>
>
>
>
>


More information about the wp-hackers mailing list