Should all instances of
__( 'A translatable string', 'textdomain' )
Be
esc_html__( 'A translatable string', 'textdomain' )
or just
echo __( 'A translatable string', 'textdomain' )
Had this as my reject message: Translate and escape all of the strings.
Confused on this one, can’t find too much info. If hacker has access to mo files, don’t they also have access to php files?
Most instances should be esc_html, if it’s in a HTML attr use esc_attr__
Basically you’re just making sure that if there’s no need for HTML to be there, it isn’t, safety first!
Hi, thanks tommusrhodus
To be clear, for theme options we need to do this:
array(
'name' => esc_html__( 'Label', 'textdomain' ),
rather then:
array(
'name' => __( 'Label', 'textdomain' ),Definitely 
OK. Thanks for your help 