It basically depends on who is doing the translation and how trusted can he be as if you will not filter things out the translator can add JS code, still cookies and whatever.
In most of the places translation is done you will have in any case a call to esc_html
or esc_attr
which will mitigate the problem, but obviously if you need an actual link, you can not use those functions. The use of wp_kses
just makes sure there are no surprises in the translation.
For example, there is nothing that prevent a translator from translating __('Hi there
) into Hi there <script>alert('evil laugh')</script>
. translations are never verified to not include such type of things when they are submitted by translators, and while the example is easy to catch, it might be possible to do more complex things that are harder to spot.
Related Posts:
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Escaping built-in WP function return strings
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- WordPress security issue to output data from user input from theme option form
- wp_nonce_field displaying twice
- Is it necessary to do validation again when retrieving data from database?
- Why would you use esc_attr() on internal functions?
- Using password protection to load different page elements?
- Include external po file for 3th party plugin to theme
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- Problem with Poedit [closed]
- Autoloading & Namespaces in WordPress Plugins & Themes: Can it Work?
- What process do you use for WordPress development? [closed]
- What is the advantage of using wp_mail?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- Should Plugin Folders Include a Blank index.php File?
- How to provide translations for a WordPress TinyMCE plugin?
- Should I create a theme or a plugin?
- Include third party Javascript library which is not included in WordPress
- Where do I start from
- WP 3.3 Tooltips API?
- wp_remote_get doesn’t work with secure connections https?
- Authoritative answer on which boots first – Plugins or Themes?
- How to Add Font Awesome Icons to WordPress Menus?
- How to Use WordPress Color Picker API in Custom Post Type Metabox
- Custom theme sufficient or custom plugin neccessary for this feature set?
- How to create custom home page via plugin?
- How does gettext works for translating readme file of plugin?
- How to debug WordPress correctly?
- `wp_set_script_translations` with `wp.i18n` does not return translated strings in simple plugin
- Featured Image not showing in admin
- Should I use RIPS tool to test my themes and plugins?
- use __($str) to translate strings (symfony/twig)
- Plugin development: is adding empty index.php files necessary?
- Whats the difference between blog_info(‘stylesheet_url’) difference get_stylesheet_uri()
- Paging on a future post loop?
- Translate strings not recognised in plugin
- How to check if a stylesheet is already loaded?
- Why do I need to check if wp_nonce_field() exists before using it
- Problem with is_active_sidebar?
- Change template dynamically
- Should I always prefer esc_attr_e & esc_html_e instead of _e?
- WordPress add_admin_page not working even parameters are correct?
- Get Current Menu Location inside Nav_Walker
- Howto: Use Custom Post Types as Submenu Items in Admin
- Extending theme PHP class in plugin
- what is the difference between these phares?
- Video Security just like facebook [closed]
- How to limit number of number of categories displayed by categories widget
- How to hide or rename “X” and “x-child” references in website source?
- Plugin is not generating title tags on any pages or posts
- Update Data parameter of a wp_localize_script() call
- get_the_tags with separator control?
- How to only load css for used blocks on frontend
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- Add child pages to submenu automatically
- Are there any security risks when submitting data-attribute data through AJAX?
- Why in this archive page that call query_posts() function show only the last 10 posts?
- Why enqueue styles on hook?
- Translate javascript with WordPress built-in localization API for static strings
- PHP File_exist() not working – Checking if File Exist in WordPress Theme Directory
- Invalid hook call on save, not edit when using swiper slider
- Plugin language always shows WP site language, not profile language
- How to find where an object first instantiatiation
- Make dynamic string translatable
- Full documentation about $args for register_rest_route?
- modify show UI of a registered taxonomy
- How to get terms for taxonomy
- How to remove/replace current page template?
- WordPress Page Reload Takes forever during theme development
- Adjust query on single
- Anyone using unzip_file successfully? It uploads the zip but doesn’t extract it!
- Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
- How do I add filter with woocommerce categories?
- Can’t upload image via submitting custom post from frontend
- Need Help to make a logic for editing posts in Frontend
- How can we stop showing short code in create or edit post section
- Error Connecting to Database WHEN Installing WordPress on XAMPP [Tried All the Usual Stuff] (Pics Included)
- Load custom translation in custom plugin fails
- How can I measure CPU and RAM used by my theme or plugin
- set a custom post type to a taxonomy term programmatically in metabox
- My enqueue admin style function doesn’t work because of ?=ver
- Can i prevent the effect of the_title filter on the dashboard’s posts/pages titles?
- Translation not working for Constant strings in Plugin
- How to embed or integrated a custom WordPress Widget into the theme?
- To remove rendering of menus and header, plugin or theme?
- How can I add recent posts to menu like mashable
- Is there a general way to get a themes primary colour?
- How to Register/Link to .js Files in WordPress Dynamicaly in Header.php
- Best Way to Inventory the Media Library of a 200+ Multisite Installation?
- Loading jQuery library from WordPress admin
- Using tag or inline style attribute?
- how to insert content into wp_head after loop_end
- how to catch a data from a array in WordPress
- How are themes and plugins localized using the gettext GNU framework?
- Theme, Plugin or Both?
- get the queried_object of an url
- Is there any other ways to replicating changes on live from staging without pushing from git
- Hook a search form anywhere on the site, using a custom plugin
- Fetch Custom Woocomerce filed data and check the data avialble in Wp-user table as nicname or username using function.php