Internationalization Security

Security is often overlooked when talking about internationalization, but there are a few important things to keep in mind.

Check for Spam and Other Malicious Strings Check for Spam and Other Malicious Strings

When a translator submits a localization to you, always check to make sure they didn’t include spam or other malicious words in their translation. You can use Google Translate to translate their translation back into your native language so that you can easily compare the original and translated strings.

Top ↑

Use Placeholders for URLs Use Placeholders for URLs

Don’t include URLs in internationalized strings, because a malicious translator could change them to point to a different URL. Instead, use placeholders for printf() or sprintf().

Insecure:

<?php _e(
    'Please <a href="https://wordpress.org/support/register.php">
     register for a WordPress.org account</a>.',
    'your-text-domain'
); ?>

Secure:

<?php printf(
    __(
        'Please <a href="%s">register for a WordPress.org account</a>.',
        'your-text-domain'
    ),
    'https://wordpress.org/support/register.php'
); ?>

Top ↑

Compile Your Own .mo Binaries Compile Your Own .mo Binaries

Often translators will send the compiled .mo file along with the plaintext .po file, but you should discard their .mo file and compile your own, because you have no way of knowing whether or not it was compiled from the corresponding .po file, or a different one. If it was compiled against a different one, then it could contain spam and other malicious strings without your knowledge.

Using PoEdit to generate the binary will override the headers in the .po file, so instead it’s better to compile it from the command line:

msgfmt -cv -o /path/to/output.mo /path/to/input.po