[wp-hackers] Potential (security) issue with Twenty Ten?

Peter Westwood peter.westwood at ftwr.co.uk
Thu Jan 6 12:01:29 UTC 2011


On 6 Jan 2011, at 11:26, Bjorn Wijers wrote:

> Not sure if this is the right place to discuss this, so please point me in the right direction if this should be discussed somewhere else...

If you think you have found a security issue then you should contact the security "team" as documented here:


> I was looking at Twenty Ten and noticed this piece of code below the theme textdomain loading in the functions.php:
> 91 load_theme_textdomain( 'twentyten', TEMPLATEPATH . '/languages' );
> 92
> 93 $locale = get_locale();
> 94 $locale_file = TEMPLATEPATH . "/languages/$locale.php";
> 95 if ( is_readable( $locale_file ) )
> 96   require_once( $locale_file );
> Source:
> http://core.trac.wordpress.org/browser/trunk/wp-content/themes/twentyten/functions.php
> I do not understand why after loading the theme's translations files another file ($locale.php) is included. Also the $locale, as far as I can see although I haven't dived into it, does not get escaped. Somehow this looks kinda funky.
> Can somebody explain why this of code is included in Twenty Ten? And why this is used after already loading the translations using load_theme_textdomain() function.

This code is there to allow for translators to make some translations using PHP rather than just the mo file.

This is needed in some rare cases and something core supports as well in the same way
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5

More information about the wp-hackers mailing list