[wp-trac] [WordPress Trac] #61065: Ensure URLs are not translated to maintain security and accuracy in localization

WordPress Trac noreply at wordpress.org
Wed Apr 24 09:23:44 UTC 2024 

#61065: Ensure URLs are not translated to maintain security and accuracy in
localization
-----------------------------+--------------------------------------------
 Reporter:  akshay.shah5189  |      Owner:  (none)
     Type:  enhancement      |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  I18N             |    Version:  6.5
 Severity:  normal           |   Keywords:  i18n security urls translation
  Focuses:                   |
-----------------------------+--------------------------------------------
 While reviewing various parts of the WordPress code and community-
 contributed themes/plugins, I have noticed instances where URLs are passed
 into translation functions such as __(). This practice can lead to several
 issues:

     Localization Problems: URLs should remain constant across all
 languages. Translating them could lead to broken links if translators
 inadvertently change the URL structure.
     Security Concerns: Translating URLs might expose the site to
 manipulation if the translation files are compromised.
     Performance Overhead: Including URLs in translatable strings increases
 the complexity and size of translation files unnecessarily.

 Recently, I found this in wp-admin/credits.php at line no 48

 below code is mentioned there


 {{{
 <p>
         <?php
         printf(
                 /* translators: 1: https://wordpress.org/about/ */
                 __( 'WordPress is created by a <a href="%1$s">worldwide
 team</a> of passionate individuals.' ),
                 __( 'https://wordpress.org/about/' )
         );
         ?>
         <br />
         <a href="<?php echo esc_url( __(
 'https://make.wordpress.org/contribute/' ) ); ?>"><?php _e( 'Get involved
 in WordPress.' ); ?></a>
 </p>
 }}}

 According to me right code is as below


 {{{
 <p>
     <?php
     printf(
         __( 'WordPress is created by a <a href="%s">worldwide team</a> of
 passionate individuals.' ),
         esc_url( 'https://wordpress.org/about/' )
     );
     ?>
     <br />
     <a href="<?php echo esc_url( 'https://make.wordpress.org/contribute/'
 ); ?>"><?php _e( 'Get involved in WordPress.' ); ?></a>
 </p>
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61065>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list