Title: Secure Gettext
Author: Alex Kirk
Published: January 6, 2016
Last modified: January 5, 2016
---
Search plugins
This plugin **hasn’t been tested with the latest 3 major releases of WordPress**.
It may no longer be maintained or supported and may have compatibility issues when
used with more recent versions of WordPress.
# Secure Gettext
By [Alex Kirk](https://profiles.wordpress.org/akirk/)
[Download](https://downloads.wordpress.org/plugin/secure-gettext.zip)
* [Details](https://wordpress.org/plugins/secure-gettext/#description)
* [Reviews](https://wordpress.org/plugins/secure-gettext/#reviews)
* [Installation](https://wordpress.org/plugins/secure-gettext/#installation)
* [Development](https://wordpress.org/plugins/secure-gettext/#developers)
[Support](https://wordpress.org/support/plugin/secure-gettext/)
## Description
This plugin ensures that any text coming from a translation file (`.po` or `.mo`)
is run through an escaping function before it is output to the user.
Escaping refers to the modification of the text so that special control characters
do not have an effect (for example `<` in HTML).
Example: If an original text does not contain HTML, then a translated text should
not be allowed to contain HTML either. Thus, an HTML link introduced by a translator
should have no effect because this was not intended by the developer.
This plugin is in the proof-of-concept stage, it was created to test if the escaping
of translated text can be handled in a general way, whether it severely affects
the performance of a site, and if it breaks things.
For text without HTML, the text is sent through `esc_html()`, for text containing
HTML tags, it is sent through `wp_kses()` which is provided with a list of allowed
HTML tags and attributes, derived from the original string.
Thus this plugin tries to show a generic way of how to make sure that translated
text is escaped. This is something that can eventually be ported to core.
## Installation
1. Upload the plugin files to the `/wp-content/plugins/secure-gettext` directory,
or install the plugin through the WordPress plugins screen directly.
2. Activate the plugin through the ‘Plugins’ screen in WordPress
## FAQ
#### Are you trying to convey that I cannot trust translations?
Yes and no. The translation system on translate.wordpress.org is built on trust.
Translation Editors will only approve strings that are just the translations of
original text. This has worked very well so far. So indeed you can trust translations
coming from there, for example through language packs.
On the other hand, translation files provide a potential vector for attackers to
insert malicious content. This could be spam links, or even JavaScript code. If
you receive a translation file from an untrusted source, then it might be unsafe.
This plugin doesn’t fully protect you from such dangers, but makes it harder for
potential attackers to insert their own content into translated texts.
#### How can I see that the plugin is working?
If the plugin is activated, in the best case it doesn’t change anything visually.
Translated text should behave the same way as before, there might be some escaping
taking place (for example) something that had no HTML in the original text will
have any HTML tags contained in the translated text be printed verbose.
In order to be able to verify if the plugin is in fact active, there is a special
URL parameter that you can use when you view a page with a logged-in user: ?secure-
gexttext=show
This mode will modify all screen text to be wrapped with a `[Escaped: ]`.
This is purely for debugging functionality and might be removed in future.
## Reviews
### [Thank you!](https://wordpress.org/support/topic/thank-you-1105/)
[blueprintmarketing](https://profiles.wordpress.org/blueprintmarketing/) September
3, 2016
This is what must be done for all translations or multilingual sites
[ Read all 1 review ](https://wordpress.org/support/plugin/secure-gettext/reviews/)
## Contributors & Developers
“Secure Gettext” is open source software. The following people have contributed
to this plugin.
Contributors
* [ Alex Kirk ](https://profiles.wordpress.org/akirk/)
[Translate “Secure Gettext” into your language.](https://translate.wordpress.org/projects/wp-plugins/secure-gettext)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/secure-gettext/), check
out the [SVN repository](https://plugins.svn.wordpress.org/secure-gettext/), or
subscribe to the [development log](https://plugins.trac.wordpress.org/log/secure-gettext/)
by [RSS](https://plugins.trac.wordpress.org/log/secure-gettext/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 0.1
* Proof of concept
## Meta
* Version **0.1**
* Last updated **10 years ago**
* Active installations **Fewer than 10**
* WordPress version ** 2.0.11 or higher **
* Tested up to **4.4.34**
* Tags
* [escape](https://wordpress.org/plugins/tags/escape/)[gettext](https://wordpress.org/plugins/tags/gettext/)
[html](https://wordpress.org/plugins/tags/html/)[mo](https://wordpress.org/plugins/tags/mo/)
[po](https://wordpress.org/plugins/tags/po/)[security](https://wordpress.org/plugins/tags/security/)
[translation](https://wordpress.org/plugins/tags/translation/)
* [Advanced View](https://wordpress.org/plugins/secure-gettext/advanced/)
## Ratings
5 out of 5 stars.
* [ 1 5-star review ](https://wordpress.org/support/plugin/secure-gettext/reviews/?filter=5)
* [ 0 4-star reviews ](https://wordpress.org/support/plugin/secure-gettext/reviews/?filter=4)
* [ 0 3-star reviews ](https://wordpress.org/support/plugin/secure-gettext/reviews/?filter=3)
* [ 0 2-star reviews ](https://wordpress.org/support/plugin/secure-gettext/reviews/?filter=2)
* [ 0 1-star reviews ](https://wordpress.org/support/plugin/secure-gettext/reviews/?filter=1)
[Your review](https://wordpress.org/support/plugin/secure-gettext/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/secure-gettext/reviews/)
## Contributors
* [ Alex Kirk ](https://profiles.wordpress.org/akirk/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/secure-gettext/)