Escaping translated text in WordPress themes?

Hey just wondering if anyone else is escaping translated text in their themes? This was in the feedback I received in a soft reject:

It looks like internationalized text strings are not being escaped:

__( 'String', ‘text-domain’ ); 
_e( 'String', ‘text-domain’ );

UPDATE your theme to use the following:


esc_html__( 'String', 'text-domain' );
esc_html_e( 'String', ’text-domain' );

Some HTML:

wp_kses( __( 'String <strong>something</strong>', 'text-domain' ), $allowed_html_array );

It’s possible for translators to sneak HTML and JS into translation files or even just inadvertently mess something up. So, it’s good practice to simply escape them.

But I notice in twentysixteen this additional level of escaping was recently removed:

So are we safe to just use __('foo','bar'); in our themes or do we have to escape all translations?



Got same reason. How did you make solution of that? What script is used to check the escaping? any idea?

Yes i agree, its much pain to check every single line is there any script for that?

I usually using printf function. So the translators don’t need to see html tags.

and the theme is approved

Our latest theme Fab was soft rejected for this reason, I questioned it with the reviewer and got no reply.

I don’t understand why they are insisting on this.

What is the point of __( and _e( if they are insisting on using esc_html__ and esc_html_e

Would love to get an official explanation on this

@oxygenna I re-submitted my item with a link to that official WordPress github discussion above. This let the theme go through with __( and _e(

After some further investigation I found there are different levels of “WordPress coding standards”. If you are making a theme that will be used on the hosted service it is very very strict and all translation functions must be escaped.

However for self hosted stuff it seems the coding standard is relaxed a little bit.

This is about translators including html code in their translation files.

A translator could translate the word hello to <script>alert('Here are some ads!');</script> and this would go through with just __() but it would be blocked with esc_html__()

1 Like

when themes provided by wordpress are using __( and _e( then why can not we?

What will happen with TGMPA. It is supposed that we have to modify all __( to esc_html__ where needed. If you look in the class file you will see a lot of __(. Im using latest version of TGMPA and there are a lot of __( which have links and other few html tags within. It is supposed to get through everything there with wp_kses?.I’m trying to keep TGMPA in sync with github version… An official answer will save time for both theme authors and reviewers @StephenCronin I saw Stephen active in the past on TGMPA github …
Thanks Lucian

They’re just being extra-cautious here. The idea is that sometime a site owner would send someone the .po file for a paid translation and the translator could, theoretically, include script tags to execute Javascript for any type of XSS or CSRF attack. This is where esc_html* helps.

Why it’s not a requirement for an official theme like TwentyFifteen? Because the translations are reviewed by the community contributing to the open source theme itself.

TGMPA should be excluded from the requirement because (a) it’s a library and (b) the TGMPA text-domain is different and translations of TGMPA are being managed in the repository and are reviewed before being accepted.

Unfortunately/fortunately there is only one text domain allowed per theme. It seems that lately reviewers are asking to change the TGMPA text domain to match your_theme_domain. (when generating the TGMPA plugin from here setting text domain and will put your textdomain insted of tgmpa) This way you will have only one domain per theme…the Theme Check plugin will also see one. I understand your point …but it’s not clear for me too how should we proceed with __( in TGMPA.

It probably depends on reviewer but I was asked to translate and escape all strings, even in TGMPA (the reviewer specifically requested this).

every time a try to Generate a new one it give me an error ? :

can any one help ??

That’s new! Have you tried with another browser. I just make the package with Chrome.

@dtbaker Please let us know the answer from TF. But I’m almost sure you will be asked to escape every string you echo.

I’m not going to get an official answer on this from Envato. My latest item was approved with __( and _e( and mixed text domains (tgmpa class file still had its own). Same with a recent update I made to a really old theme. The approval is up to the individual reviewer and sometimes these things are actually quite hard to be “set in stone” as a rule.

If the __( escaping issue is the ONLY issue holding your theme back from approval, go in and do a find/replace on your theme code (except 3rd party things like TGMPA). It only takes 5 minutes to fix up incorrectly replaced items and re-submit. Then you’ll know your theme is safe from translated text script injection.

Thanks a lot for sharing this with us! Happy to hear that you got your item approved. Wish you luck with the sales now!!!

Can any share with me approved TGM class?

But in this class there are may strings which are not escaped :frowning: