Dieses Plugin ist nicht mit den jüngsten 3 Hauptversionen von WordPress getestet worden. Es wird möglicherweise nicht mehr gewartet oder unterstützt und kann Kompatibilitätsprobleme haben, wenn es mit neueren Versionen von WordPress verwendet wird.

Herunterladen

Secure Gettext

Von Alex Kirk

Beschreibung

This plugin ensures that any text coming from a translation file (.po or .mo) is run through an escaping function before it is output to the user.

Escaping refers to the modification of the text so that special control characters do not have an effect (for example < in HTML).

Example: If an original text does not contain HTML, then a translated text should not be allowed to contain HTML either. Thus, an HTML link introduced by a translator should have no effect because this was not intended by the developer.

This plugin is in the proof-of-concept stage, it was created to test if the escaping of translated text can be handled in a general way, whether it severely affects the performance of a site, and if it breaks things.

For text without HTML, the text is sent through esc_html(), for text containing HTML tags, it is sent through wp_kses() which is provided with a list of allowed HTML tags and attributes, derived from the original string.

Thus this plugin tries to show a generic way of how to make sure that translated text is escaped. This is something that can eventually be ported to core.

Installation

  1. Upload the plugin files to the /wp-content/plugins/secure-gettext directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‚Plugins‘ screen in WordPress

FAQ

Are you trying to convey that I cannot trust translations?

Yes and no. The translation system on translate.wordpress.org is built on trust. Translation Editors will only approve strings that are just the translations of original text. This has worked very well so far. So indeed you can trust translations coming from there, for example through language packs.

On the other hand, translation files provide a potential vector for attackers to insert malicious content. This could be spam links, or even JavaScript code. If you receive a translation file from an untrusted source, then it might be unsafe.

This plugin doesn’t fully protect you from such dangers, but makes it harder for potential attackers to insert their own content into translated texts.

How can I see that the plugin is working?

If the plugin is activated, in the best case it doesn’t change anything visually. Translated text should behave the same way as before, there might be some escaping taking place (for example) something that had no HTML in the original text will have any HTML tags contained in the translated text be printed verbose.

In order to be able to verify if the plugin is in fact active, there is a special URL parameter that you can use when you view a page with a logged-in user: ?secure-gexttext=show

This mode will modify all screen text to be wrapped with a [Escaped: <text>]. This is purely for debugging functionality and might be removed in future.

Rezensionen

Alle 1 Rezension lesen

Mitwirkende & Entwickler

„Secure Gettext“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:

Mitwirkende

Übersetze „Secure Gettext“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.

Änderungsprotokoll

0.1

  • Proof of concept

Meta

Bewertungen

Alle anzeigen
Melde dich an, um eine Rezension einzureichen.

Mitwirkende

Support

Möchtest du etwas sagen? Brauchst du Unterstützung?

Supportforum anzeigen