Find all unescaped i18n strings in in WordPress

It turns out, that from now on, it’s a best practice to escape with esc_html__() instead of simply doing __() in your plugins and themes.

Replacing everything with esc_html() is a solution, but what about the __() in your code that already contain some minor code ( like a few wrapping spans here and there ) ?

Here is what I did:

1. Search and replace every __() with esc_html__() and _e() with esc_html_e()

2. Then find all the esc_html functions that have HTML in them

esc_html_[_e]\(\s?['"][^'",]+[<>]

That’s going to show you all the esc_html__() and esc_html_e() that contains a “<” or “>” somewhere within. I use phpStorm to perform the search, and the above Regex works just fine for me.

1. Adjust your code so that the string no longer requires inline HTML

That’s it. You’re no longer a robot that has to manually go over each internationalized string.