Using HTML links within translatable string

It basically depends on who is doing the translation and how trusted can he be as if you will not filter things out the translator can add JS code, still cookies and whatever.

In most of the places translation is done you will have in any case a call to esc_html or esc_attr which will mitigate the problem, but obviously if you need an actual link, you can not use those functions. The use of wp_kses just makes sure there are no surprises in the translation.

For example, there is nothing that prevent a translator from translating __('Hi there) into Hi there <script>alert('evil laugh')</script>. translations are never verified to not include such type of things when they are submitted by translators, and while the example is easy to catch, it might be possible to do more complex things that are harder to spot.

Related Posts:

  1. What is the difference between esc_html and wp_filter_nohtml_kses?
  2. Escaping built-in WP function return strings
  3. What is the difference between strip_tags and wp_filter_nohtml_kses?
  4. WordPress security issue to output data from user input from theme option form
  5. wp_nonce_field displaying twice
  6. Is it necessary to do validation again when retrieving data from database?
  7. Why would you use esc_attr() on internal functions?
  8. Using password protection to load different page elements?
  9. Include external po file for 3th party plugin to theme
  10. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  11. Problem with Poedit [closed]
  12. Warning: include(): https:// wrapper is disabled in the server configuration by allow_url_include=0
  13. Plugin is not generating title tags on any pages or posts
  14. How to Control CSS of Admin On Creating only a Specific Custom Post Type
  15. Can’t change the style of a submit input type? [closed]
  16. Make a plugin page out of influence of the theme’s style
  17. Update Data parameter of a wp_localize_script() call
  18. Custom entity search and display
  19. WP Plugin Running before jQuery
  20. Template directory in plugin
  21. get_the_tags with separator control?
  22. How to only load css for used blocks on frontend
  23. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  24. 400 Bad Request, in wordpress theme development, wp_ajax
  25. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  26. esc_html__() and __() not working within arrays
  27. add_submenu_page hooked function must explicitly check user capabilities – why?
  28. How to prevent someone from entering strings without making it available for translation?
  29. Readme.txt seems to be cached but not the version
  30. Add child pages to submenu automatically
  31. Are there any security risks when submitting data-attribute data through AJAX?
  32. Return Value of load_plugin_textdomain
  33. Why in this archive page that call query_posts() function show only the last 10 posts?
  34. my own SVN for a plugin/theme
  35. Issue on Setting $icon_url Parameter on WP add_menu_page()
  36. Why enqueue styles on hook?
  37. Getting a WordPress Debug Strategy
  38. unable to wp_enqueue_script(‘suggest’);
  39. Drawing the line between theme & plugin on large scale bespoke projects
  40. Apply styles to blockquote element with the WYSIWYG editor
  41. Translate javascript with WordPress built-in localization API for static strings
  42. PHP File_exist() not working – Checking if File Exist in WordPress Theme Directory
  43. Invalid hook call on save, not edit when using swiper slider
  44. Proper way to use useSelect
  45. Conditional Generation of Image Sizes using add_image_size
  46. How to add plugin options in wp editor page
  47. Ajax: Populate with content from a post’s ID not working – duplicating current page html instead
  48. Plugin language always shows WP site language, not profile language
  49. Is hint for translator compulsory while internationalizing a string containing variables?
  50. How to find where an object first instantiatiation
  51. Gutenberg blocks error: Each child in a list should have a unique “key” prop
  52. Translating plugin settings page – dropdown list
  53. Make dynamic string translatable
  54. Full documentation about $args for register_rest_route?
  55. WP Still Generating 150×150 Thumbnail Size Even After Un-Setting Small Size in Functions.php
  56. Is it possible to use WP-CLI in a plugin (or theme)?
  57. Secruity Questions on a timer
  58. modify show UI of a registered taxonomy
  59. Using function from enqueued .js file in theme in plugin?
  60. Does WordPress default CSS have Grids?
  61. How to resize WordPress images on upload to specific height and width without cropping it
  62. Create fixed static pages
  63. How to get terms for taxonomy
  64. How to translate wordpress backend to another language
  65. How can I save a password securely as a settings field
  66. How to replace settings in WordPress plugin from a theme
  67. Save temporary registration data
  68. How to remove/replace current page template?
  69. WordPress dynamic widget by location?
  70. Borrowing of Previously Translated Strings by Child Plugin
  71. WordPress Page Reload Takes forever during theme development
  72. Adjust query on single
  73. Setting a post’s category
  74. rewrite_rules problem
  75. Anyone using unzip_file successfully? It uploads the zip but doesn’t extract it!
  76. How can the_excerpt (or equivalent) be called on a category description?
  77. Why does website stretch and white space on load? [duplicate]
  78. Change the behaviour of a button
  79. WP_Query order posts by category
  80. Configuring Xdebug with docker compose
  81. Why my theme’s css not working on another site
  82. How to access index file in Block Themes?
  83. How to show comments from different Plugins to same post type?
  84. Pass custom props to
  85. Translations only load from `wp-content/languages/plugins` but not from the plugin’s languages folder
  86. WordPress Favicon not Working For Images/Videos/PDFs
  87. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  88. How to make premium plugin? I want to limit it until verification
  89. Google Web Core Vitals – management, how to in wordpress and advice
  90. How to add quick edit on the list of users to edit custom fields?
  91. Impossible to declare box-shadow with wp.customize?
  92. Want to know how to reveal a WordPress theme, considering the theme name is hidden?
  93. Override category archive page title (not the head title)
  94. How do I add filter with woocommerce categories?
  95. How to store sensitive user data (passwords)
  96. Can’t upload image via submitting custom post from frontend
  97. Need Help to make a logic for editing posts in Frontend
  98. Redirection from a specific page for users logged in but not with membership
  99. How can we stop showing short code in create or edit post section
  100. Metabox types list
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)