create-block-theme icon indicating copy to clipboard operation
create-block-theme copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Escape translated strings

Open andersnoren opened this issue 10 months ago • 1 comments

If you save changes made to a PHP file (like a pattern) with text strings, CBT will output the text strings with the __() localize function, like so:

<!-- wp:heading {"level":1} -->
<h1 class="wp-block-heading"><?php echo __( 'Posts', 'cozy-grove' ); ?></h1>
<!-- /wp:heading -->

But according to the WordPress Developer Handbooks, all output should be run through an escaping function. If you run the code generated by CBT through PHP_CodeSniffer with the WordPress Coding Standard enabled, it gives you an error for the lines with the unescaped strings.

Maybe wp_kses_post(), like so:

<!-- wp:heading {"level":1} -->
<h1 class="wp-block-heading"><?php echo wp_kses_post( __( 'Posts', 'cozy-grove' ) ); ?></h1>
<!-- /wp:heading -->

andersnoren avatar Apr 25 '24 10:04 andersnoren

I think the esc_html_e() function is the simplest.

<!-- wp:heading {"level":1} -->
<h1 class="wp-block-heading"><?php esc_html_e( 'Posts', 'cozy-grove' ); ?></h1>
<!-- /wp:heading -->

t-hamano avatar Apr 27 '24 14:04 t-hamano