Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<?php
/**
* Escape all translations with
*/
__( ‘Some String’, ‘text-domain’ ); _e( ‘Some string’, ‘text-domain’ );.
/**
* When there is no HTML use:
*/
esc_html__( ‘Some String’, ‘text-domain’ ); esc_html_e( ‘Some String’, ‘text-domain’ );
/**
* For some HTML:
*/
wp_kses( __( ‘Some String something’, ‘text-domain’ ), $allowed_html_array );
@pyronaur
Copy link

pyronaur commented Sep 21, 2015

@kailoon
This is still valid for 95% uses, right ? Even if there is no html.

__( ‘Some String’, ‘text-domain’ );

esc_html__ should be used only when the authors intention is to remove HTML, not because it would be an Envato requirement, right ?

Loading

@pyronaur
Copy link

pyronaur commented Nov 6, 2015

I'll just leave this for other authors receiving this reject reason:

All strings must be escaped with esc_html__

Have a look here:

TL;DR
The new standard is: __() and _e() can only be used if you wrap them in wp_kses()

Loading

@dtbaker
Copy link

dtbaker commented Oct 23, 2016

Heya @kailoon what tools do you use to find these issues in themes? I have tried both theme-check and phpcs but they do not highlight un-translated text like <p>Untranslated text:</p>? Do you have your own script or another "theme check" tool that will find something like this?

Thanks!

Loading

@ideothemes
Copy link

ideothemes commented Oct 25, 2016

Loading

@aliaghdam
Copy link

aliaghdam commented Oct 25, 2016

@kailoon What about when we are storing data into array ( for example in frameworks and options panels ) and printing them when needed.

$filed = array( 'name' => __( 'Homepage', 'textdomain' ), 'type' => 'input', );

// somewhere else

<h1><?php esc_html__( $filed['name'], 'textdomain' ); ?></h1>

Are you sure we should 'escape late' just in printing like my example? and not inside the main array? but they are rejecting our theme for this: http://envato.d.pr/oWR7/xLctXoDy

They are forcing us to escape twice but that is not needed and makes theme slow for nothing!

Loading

@xperter
Copy link

xperter commented Jan 9, 2017

@dtbaker I have tried with Regex but not working :/

Loading

@kailoon
Copy link
Author

kailoon commented Mar 2, 2017

@dtbaker Sorry, I just check them manually ...

Loading

@lenguyenitc
Copy link

lenguyenitc commented Feb 26, 2018

  1. All theme text strings are to be translatable and properly escaped. https://gist.github.com/kailoon/01fa8e95d2e910e666c6 example(s) from your code and there are more: https://envato.d.pr/fWcY4T
    @kailoon could you explain for me clear more about this point. What's it wrong?
    Envato required using function esc_html__() inserted __()?

Loading

@ijazalideveloper
Copy link

ijazalideveloper commented May 10, 2018

@kailoon
When we use the variable so for this what is the best approach which recommend the theme-forest. Currently i am using like this
<?php echo esc_attr($comment_count);?>
It is corrent or not.

Loading

@Uranbold
Copy link

Uranbold commented May 15, 2018

@ijazalideveloper it's Correct.

Only thing is not included is What if we include the Links in the Description?

Should we use sprintf( wp_kses( __(

@kailoon

Loading

@sfatfarma
Copy link

sfatfarma commented Mar 26, 2019

@Uranbold - yes, you can use:

sprintf( wp_kses( __( 'Your text', 'your-domain') ) );

Loading

@varunsridharan
Copy link

varunsridharan commented Feb 13, 2021

I'll just leave this for other authors receiving this reject reason:

All strings must be escaped with esc_html__

Have a look here:

* https://vip.wordpress.com/2014/06/20/the-importance-of-escaping-all-the-things/

* [Automattic/_s#556](https://github.com/Automattic/_s/issues/556)

TL;DR
The new standard is: __() and _e() can only be used if you wrap them in wp_kses()

@pyronaur

i am little confused about it.

Is this an official requirement by WordPress.org ? or just by envato ?

Loading

@pyronaur
Copy link

pyronaur commented Feb 15, 2021

It's a community-accepted standard by now to escape everything. I'm not sure if the WordPress.org theme repository requires it at the moment, but it's almost an universal recommendation these days to escape everything.

You can't go wrong with escaping :)

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment