I have code like this:
<?php echo '<div class="class-name">' . __( 'Text','text-domain' ) . '</div>'; ?>
in a plugin of mine.
Do i have to escape this? (esc_html or similiar)?
3 Answers
The answer typically depends on where your translations come from. WordPress core doesn't usually escape strings such as this, but you may wish to do so in your plugin.
A translation might come from an "untrusted" source and could, in theory, contain malicious JavaScript, and escaping would protect you from this. In reality that's unlikely, but escaping this text does add another layer of hardening. I've started escaping strings such as this in my plugins recently.
In addition, using escaping functions around strings such as this means your code will pass the WordPress Code Standards sniffers.
-
But in WooCommerce plugin code I found lot's of hard-coded strings which can be translate but there is no escape used.Zak– Zak2019-04-11 06:47:34 +00:00Commented Apr 11, 2019 at 6:47
No. There is no user supplied data in that string. You only have to escape user supplied data. The only why this could be hacked would be if someone managed to push something nasty through the __() function but that would mean a server level hack, if possible at all, and if that were the case no escaping is going to fix anything. With that kind of hack, the attacker can do virtually anything.
No. The contents of your echo statement will be output to the browser with no problems.
Textstring is hard-coded, its translation may come from an untrusted source. See my answer below for more info.