Plugins WordPress

Should I escape translated strings in a WordPress plugin or theme?

When writing a WordPress plugin recently, I wasn’t sure whether a translatable text/string is considered safe, or if it needs to escaped before being output.

Here’s a simple example:

The Problem

At first glance, that code looks like it should be safe, however what would happen if the string was translated to contained an angled bracket (< or >)?

That would result in invalid HTML code. Or even worse, what if the translation file contained a malicious <script> tag?

The Solution


WordPress 3.0.3 (Security Fix) Released

WordPress 3.0.3 has just been released.

It is a security release which fixes issues in WordPress’ XML-RPC remote publishing protocol. If you are using XML-RPC and your blog has untrusted Author or Contributor users, then you should upgrade as soon as possible.