Can someone explain the use cases of esc_html?

I’m looking through _s (underscores) starter theme and see that they’re using esc_html for nearly everything. Just an example from functions.php

register_nav_menus( array(
        'primary' => esc_html__( 'Primary', '_s' ),
) );

register_sidebar( array(
        'name'          => esc_html__( 'Sidebar', '_s' ),
        'id'            => 'sidebar-1',
        'description'   => esc_html__( 'Add widgets here.', '_s' ),
        'before_widget' => '<section id="%1$s" class="widget %2$s">',
        'after_widget'  => '</section>',
        'before_title'  => '<h2 class="widget-title">',
        'after_title'   => '</h2>',
) );

My current understanding of esc_html is to use it when we output either data from the database or user input.

Why escape the names of the menu and sidebar?

It’s only available to people that have access to the php files and it doesn’t appear to be put into the db. I looked through the db and couldn’t find anything related to the names, please correct me if I’m wrong.

Is the underscores theme just being overly cautious about everything?


Solutions Collecting From Web of "Can someone explain the use cases of esc_html?"

esc_html() does two things:

  1. Checks for invalid UTF8 in a string.
  2. Converts a number of special characters into their HTML entities, specifically deals with: &, <, >, “, and ‘.

Using it instead of __(), _e and other i18n functions protects your website from possible errors that can occur with unaware translators who may use text that contains (1) invalid UTF8 characters or (2) unwanted HTML code. Trust me, many translators will be tempted to use some ‘nice’ HTML tags like <i>, <b> etc, even worse, they won’t close them correctly.

esc_html__( string $text, string $domain = 'default' )

Retrieve the translation of $text and escapes it for safe use in HTML output.
so esc_html__() use to make internationalize as well as security purpose

The waters are muddy here. OP’s question asks about esc_html(), but his code clearly uses esc_html__().These are not the same. The accepted answer is wrong: it refers to esc_html(), which deals with safely escaping HTML blocks. kanon chowdhury’s reply should be the accepted answer, because OP’s code deals with the I18n aspects of the Underscores WordPress starter theme (which uses the esc_html__() function).