开发者 | akirk |
---|---|
更新时间 | 2016年1月6日 15:28 |
PHP版本: | 2.0.11 及以上 |
WordPress版本: | 4.4 |
版权: | GPLv2 or later |
版权网址: | 版权信息 |
.po
or .mo
) is run through an escaping function before it is output to the user.
Escaping refers to the modification of the text so that special control characters do not have an effect (for example <
in HTML).
Example: If an original text does not contain HTML, then a translated text should not be allowed to contain HTML either. Thus, an HTML link introduced by a translator should have no effect because this was not intended by the developer.
This plugin is in the proof-of-concept stage, it was created to test if the escaping of translated text can be handled in a general way, whether it severely affects the performance of a site, and if it breaks things.
For text without HTML, the text is sent through esc_html()
, for text containing HTML tags, it is sent through wp_kses()
which is provided with a list of allowed HTML tags and attributes, derived from the original string.
Thus this plugin tries to show a generic way of how to make sure that translated text is escaped. This is something that can eventually be ported to core.
/wp-content/plugins/secure-gettext
directory, or install the plugin through the WordPress plugins screen directly.Yes and no. The translation system on translate.wordpress.org is built on trust. Translation Editors will only approve strings that are just the translations of original text. This has worked very well so far. So indeed you can trust translations coming from there, for example through language packs. On the other hand, translation files provide a potential vector for attackers to insert malicious content. This could be spam links, or even JavaScript code. If you receive a translation file from an untrusted source, then it might be unsafe. This plugin doesn't fully protect you from such dangers, but makes it harder for potential attackers to insert their own content into translated texts.
If the plugin is activated, in the best case it doesn't change anything visually. Translated text should behave the same way as before, there might be some escaping taking place (for example) something that had no HTML in the original text will have any HTML tags contained in the translated text be printed verbose.
In order to be able to verify if the plugin is in fact active, there is a special URL parameter that you can use when you view a page with a logged-in user: ?secure-gexttext=show
This mode will modify all screen text to be wrapped with a [Escaped: <text>]
. This is purely for debugging functionality and might be removed in future.