Find all unescaped i18n strings in in WordPress
It turns out, that from now on, it’s a best practice to escape with esc_html__()
instead of simply doing __()
in your plugins and themes.
Replacing everything with esc_html()
is a solution, but what about the __()
in your code that already contain some minor code ( like a few wrapping spans here and there ) ?
Here is what I did:
- Search and replace every
__()
withesc_html__()
and_e()
withesc_html_e()
-
Then find all the esc_html functions that have HTML in them
esc_html_[_e]\(\s?['"][^'",]+[<>]
That’s going to show you all the esc_html__()
and esc_html_e()
that contains a “<” or “>” somewhere within. I use phpStorm to perform the search, and the above Regex works just fine for me.
- Adjust your code so that the string no longer requires inline HTML
That’s it. You’re no longer a robot that has to manually go over each internationalized string.