say in a custom node.tpl, should this always be wrapping displayed text? even once it is passed through other functions like check_plain(); ? or should it only be text that is not manually entered via a node form etc

Comments

criznach’s picture

check_plain() should be used with user-entered text to filter out any malicious code, illegal markup, or invalid characters. t() should be used with text that is part of your module that you may need to later display in multiple languages.

t() may be used in conjunction with check_plain() in cases like menu titles - where the user is creating menu items that may need to be translated later. Consider using check_plain as early as possible - like in your _submit function. This cleans the user supplied text as early as possible so that modules or themes called later in the page request can't be exploited, and prevents check_plain from being called every time the data is displayed.

tjholowaychuk’s picture

yeah that seems to make good sense to me Im just mostly confused about using it tpl files etc if they should even be passed through t(); for say a node body being printed out