Does __( lead to reject?


#1

Should all instances of

__( 'A translatable string', 'textdomain' )

Be

esc_html__( 'A translatable string', 'textdomain' )

or just

echo __( 'A translatable string', 'textdomain' )

Had this as my reject message: Translate and escape all of the strings.

Confused on this one, can’t find too much info. If hacker has access to mo files, don’t they also have access to php files?


#2

Most instances should be esc_html, if it’s in a HTML attr use esc_attr__

Basically you’re just making sure that if there’s no need for HTML to be there, it isn’t, safety first!


#3

Hi, thanks tommusrhodus

To be clear, for theme options we need to do this:

array(
	'name'     => esc_html__( 'Label', 'textdomain' ),

rather then:

array(
	'name'     => __( 'Label', 'textdomain' ),

#4

Definitely :slight_smile:


#5

OK. Thanks for your help :smile: