I have finished and deployed a WordPress site. Looking the source code inside browser tools, there are scripts embedded in the HTML code with all strings (original-translated) including all Gutenberg options, doesn't seem too secure.
This is an example:
(function( translations ){translations.locale_data.messages[""].domain = "default";wp.i18n.setLocaleData( translations.locale_data.messages, "default" );})({"translation-revision-date":"2018-12-26 13:33:36+0000","generator":"GlotPress\/2.4.0-alpha","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=2; plural=n != 1;","lang":"es"},"Backtick":["Acento grave"],"Period":["Punto"],"Comma":["Coma"]}}});
Or this (inside a function):
"Given your current role, you can only link a video, you cannot upload.":["Con tu perfil actual solo puedes enlazar un v\u00eddeo, no puedes subirlo."]
Is it normal?
I have finished and deployed a WordPress site. Looking the source code inside browser tools, there are scripts embedded in the HTML code with all strings (original-translated) including all Gutenberg options, doesn't seem too secure.
This is an example:
(function( translations ){translations.locale_data.messages[""].domain = "default";wp.i18n.setLocaleData( translations.locale_data.messages, "default" );})({"translation-revision-date":"2018-12-26 13:33:36+0000","generator":"GlotPress\/2.4.0-alpha","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=2; plural=n != 1;","lang":"es"},"Backtick":["Acento grave"],"Period":["Punto"],"Comma":["Coma"]}}});
Or this (inside a function):
"Given your current role, you can only link a video, you cannot upload.":["Con tu perfil actual solo puedes enlazar un v\u00eddeo, no puedes subirlo."]
Is it normal?
Share Improve this question edited Jan 4, 2019 at 11:31 CHD asked Jan 4, 2019 at 10:53 CHDCHD 11 bronze badge 4- Why isn't it secure? – Krzysiek Dróżdż Commented Jan 4, 2019 at 10:54
- @KrzysiekDróżdż Is it normal? I've been checking different sites and not finding things like this – CHD Commented Jan 4, 2019 at 11:01
- I'm not answering... You've stated in your question, that this doesn't seem too secure. Why do you think so? – Krzysiek Dróżdż Commented Jan 4, 2019 at 11:03
- It doesn't seem secure giving all information about a tool which edits some private/public information and is restricted for visitors. – CHD Commented Jan 4, 2019 at 11:07
1 Answer
Reset to default 1This is "normal" in WordPress 5 as this is what the new wp_set_script_translations function is for.
The function tells WordPress to associate a JSON file containing translations with a specific script that will make use of them. It makes use of them as you see, by embedding the translations as JavaScript objects.
You say this is not secure, but you don't say what you're concerned about. I would say it's as secure as any file you allow onto your server. You install PHP code from trusted sources and allow it to execute. Likewise with JavaScript. So apply the same caution to translations and don't install language packs from untrusted sources!