Escapes translated text before it gets output. This adds an extra security layer around translated text.
Author: | Alex Kirk (profile at wordpress.org) |
WordPress version required: | 2.0.11 |
WordPress version tested: | 4.4 |
Plugin version: | 0.1 |
Added to WordPress repository: | 06-01-2016 |
Last updated: | 05-01-2016
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|
Rating, %: | 100 |
Rated by: | 1 |
Plugin URI: | |
Total downloads: | 734 |
Click to start download
|
FAQ
Are you trying to convey that I cannot trust translations?
Yes and no. The translation system on translate.wordpress.org is built on trust. Translation Editors will only approve strings that are just the translations of original text. This has worked very well so far. So indeed you can trust translations coming from there, for example through language packs.
On the other hand, translation files provide a potential vector for attackers to insert malicious content. This could be spam links, or even JavaScript code. If you receive a translation file from an untrusted source, then it might be unsafe.
This plugin doesn’t fully protect you from such dangers, but makes it harder for potential attackers to insert their own content into translated texts.
How can I see that the plugin is working?
If the plugin is activated, in the best case it doesn’t change anything visually. Translated text should behave the same way as before, there might be some escaping taking place (for example) something that had no HTML in the original text will have any HTML tags contained in the translated text be printed verbose.
In order to be able to verify if the plugin is in fact active, there is a special URL parameter that you can use when you view a page with a logged-in user: ?secure-gexttext=show
This mode will modify all screen text to be wrapped with a [Escaped: <text>]
. This is purely for debugging functionality and might be removed in future.
ChangeLog