wp.i18n.esc_html__() version? XSS? #12220

manake · 2018-11-22T11:56:42Z

Is wp.i18n.esc_html__() version planned?
How to achieve this?
Is this necessary or some escaping is already happening?

The text was updated successfully, but these errors were encountered:

swissspidy · 2018-11-22T13:20:25Z

This is not really needed in a React / JavaScript context as all the strings would be escaped anyway (unless you use something dangerouslySetInnerHTML)

manake · 2018-11-22T13:58:25Z

Nice.

What does it mean "unless you use something dangerouslySetInnerHTML"?
Does it mean that in JavaScript context writing __('Some string with <a href="https://example.com/">a link</a> in it,', 'text-domain'); would not create a link? Ok, that makes sense. Perhaps wp.i18n.sprintf should be used to create text with links then (I didn't try this yet).

swissspidy · 2018-11-22T14:09:42Z

Does it mean that in JavaScript context writing __('Some string with <a href="https://example.com/">a link</a> in it', 'text-domain'); would not create a link?

Correct. sprintf won't help you there. You'd need to use dangerouslySetInnerHTML to directly write HTML. Otherwise < and > get escaped.

See also #9846 for a discussion about this.

swissspidy added [Type] Question Questions about the design or development of the editor. [Package] i18n /packages/i18n labels Nov 22, 2018

swissspidy closed this as completed Nov 23, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

wp.i18n.esc_html__() version? XSS? #12220

wp.i18n.esc_html__() version? XSS? #12220

manake commented Nov 22, 2018

swissspidy commented Nov 22, 2018

manake commented Nov 22, 2018

swissspidy commented Nov 22, 2018

wp.i18n.esc_html__() version? XSS? #12220

wp.i18n.esc_html__() version? XSS? #12220

Comments

manake commented Nov 22, 2018

swissspidy commented Nov 22, 2018

manake commented Nov 22, 2018

swissspidy commented Nov 22, 2018