Fri, August 16, 2019
- This clearly avoids the multiple variants saved in the database. But the translatable string starts with a comma, which will most probably make the translators puzzled, giving them no idea about the context of the string. They don't know whether there is a username or the phrase "Good morning", or whatever is before the comma. Not good. There are also security (XSS) problems with this solution, read on.
- While you might think moving the comma out solves the problem, it does not. The context even more missing from this example, since the translator will have no idea that anything appears before this string in the same sentence. Not good. Security problem still not resolved, read on.
- Solves the security problem at least. User provided data such as usernames, post titles, etc. might contain data which allow the submitter to perform XSS (Cross-site scripting) attacks. This is not a security book, so we are not going into the deep details here. The solution to that problem is that you need to escape the data. Assume that we are going to use this function in generating HTML, we should escape the output for HTML. So we selected
check_plain(). That is great. Still, there can be languages where the username will not be in the beginning of the sentence, but somewhere in the middle or in the end. In this form it's impossible to position the username in the translations. That is