Using HTML links within translatable string

It basically depends on who is doing the translation and how trusted can he be as if you will not filter things out the translator can add JS code, still cookies and whatever.

In most of the places translation is done you will have in any case a call to esc_html or esc_attr which will mitigate the problem, but obviously if you need an actual link, you can not use those functions. The use of wp_kses just makes sure there are no surprises in the translation.

For example, there is nothing that prevent a translator from translating __('Hi there) into Hi there <script>alert('evil laugh')</script>. translations are never verified to not include such type of things when they are submitted by translators, and while the example is easy to catch, it might be possible to do more complex things that are harder to spot.

Related Posts:

  1. What is the difference between esc_html and wp_filter_nohtml_kses?
  2. Escaping built-in WP function return strings
  3. What is the difference between strip_tags and wp_filter_nohtml_kses?
  4. WordPress security issue to output data from user input from theme option form
  5. wp_nonce_field displaying twice
  6. Is it necessary to do validation again when retrieving data from database?
  7. Why would you use esc_attr() on internal functions?
  8. Using password protection to load different page elements?
  9. Include external po file for 3th party plugin to theme
  10. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  11. Problem with Poedit [closed]
  12. Autoloading & Namespaces in WordPress Plugins & Themes: Can it Work?
  13. What process do you use for WordPress development? [closed]
  14. What is the advantage of using wp_mail?
  15. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  16. Should Plugin Folders Include a Blank index.php File?
  17. How to provide translations for a WordPress TinyMCE plugin?
  18. Should I create a theme or a plugin?
  19. Include third party Javascript library which is not included in WordPress
  20. Where do I start from
  21. WP 3.3 Tooltips API?
  22. wp_remote_get doesn’t work with secure connections https?
  23. Authoritative answer on which boots first – Plugins or Themes?
  24. How to Add Font Awesome Icons to WordPress Menus?
  25. How to Use WordPress Color Picker API in Custom Post Type Metabox
  26. Custom theme sufficient or custom plugin neccessary for this feature set?
  27. How to create custom home page via plugin?
  28. How does gettext works for translating readme file of plugin?
  29. How to debug WordPress correctly?
  30. `wp_set_script_translations` with `wp.i18n` does not return translated strings in simple plugin
  31. Featured Image not showing in admin
  32. Should I use RIPS tool to test my themes and plugins?
  33. use __($str) to translate strings (symfony/twig)
  34. Plugin development: is adding empty index.php files necessary?
  35. Whats the difference between blog_info(‘stylesheet_url’) difference get_stylesheet_uri()
  36. Paging on a future post loop?
  37. Translate strings not recognised in plugin
  38. How to check if a stylesheet is already loaded?
  39. Why do I need to check if wp_nonce_field() exists before using it
  40. Problem with is_active_sidebar?
  41. Change template dynamically
  42. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  43. WordPress add_admin_page not working even parameters are correct?
  44. Get Current Menu Location inside Nav_Walker
  45. Howto: Use Custom Post Types as Submenu Items in Admin
  46. Extending theme PHP class in plugin
  47. what is the difference between these phares?
  48. Video Security just like facebook [closed]
  49. How to limit number of number of categories displayed by categories widget
  50. How to hide or rename “X” and “x-child” references in website source?
  51. Plugin is not generating title tags on any pages or posts
  52. Update Data parameter of a wp_localize_script() call
  53. get_the_tags with separator control?
  54. How to only load css for used blocks on frontend
  55. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  56. Add child pages to submenu automatically
  57. Are there any security risks when submitting data-attribute data through AJAX?
  58. Why in this archive page that call query_posts() function show only the last 10 posts?
  59. Why enqueue styles on hook?
  60. Translate javascript with WordPress built-in localization API for static strings
  61. PHP File_exist() not working – Checking if File Exist in WordPress Theme Directory
  62. Invalid hook call on save, not edit when using swiper slider
  63. Plugin language always shows WP site language, not profile language
  64. How to find where an object first instantiatiation
  65. Make dynamic string translatable
  66. Full documentation about $args for register_rest_route?
  67. modify show UI of a registered taxonomy
  68. How to get terms for taxonomy
  69. How to remove/replace current page template?
  70. WordPress Page Reload Takes forever during theme development
  71. Adjust query on single
  72. Anyone using unzip_file successfully? It uploads the zip but doesn’t extract it!
  73. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  74. How do I add filter with woocommerce categories?
  75. Can’t upload image via submitting custom post from frontend
  76. Need Help to make a logic for editing posts in Frontend
  77. How can we stop showing short code in create or edit post section
  78. Error Connecting to Database WHEN Installing WordPress on XAMPP [Tried All the Usual Stuff] (Pics Included)
  79. Load custom translation in custom plugin fails
  80. How can I measure CPU and RAM used by my theme or plugin
  81. set a custom post type to a taxonomy term programmatically in metabox
  82. My enqueue admin style function doesn’t work because of ?=ver
  83. Can i prevent the effect of the_title filter on the dashboard’s posts/pages titles?
  84. Translation not working for Constant strings in Plugin
  85. How to embed or integrated a custom WordPress Widget into the theme?
  86. To remove rendering of menus and header, plugin or theme?
  87. How can I add recent posts to menu like mashable
  88. Is there a general way to get a themes primary colour?
  89. How to Register/Link to .js Files in WordPress Dynamicaly in Header.php
  90. Best Way to Inventory the Media Library of a 200+ Multisite Installation?
  91. Loading jQuery library from WordPress admin
  92. Using tag or inline style attribute?
  93. how to insert content into wp_head after loop_end
  94. how to catch a data from a array in WordPress
  95. How are themes and plugins localized using the gettext GNU framework?
  96. Theme, Plugin or Both?
  97. get the queried_object of an url
  98. Is there any other ways to replicating changes on live from staging without pushing from git
  99. Hook a search form anywhere on the site, using a custom plugin
  100. Fetch Custom Woocomerce filed data and check the data avialble in Wp-user table as nicname or username using function.php