I’m looking through _s (underscores) starter theme and see that they’re using esc_html for nearly everything. Just an example from functions.php
register_nav_menus( array( 'primary' => esc_html__( 'Primary', '_s' ), ) ); register_sidebar( array( 'name' => esc_html__( 'Sidebar', '_s' ), 'id' => 'sidebar-1', 'description' => esc_html__( 'Add widgets here.', '_s' ), 'before_widget' => '<section id="%1$s" class="widget %2$s">', 'after_widget' => '</section>', 'before_title' => '<h2 class="widget-title">', 'after_title' => '</h2>', ) );
My current understanding of esc_html is to use it when we output either data from the database or user input.
Why escape the names of the menu and sidebar?
It’s only available to people that have access to the php files and it doesn’t appear to be put into the db. I looked through the db and couldn’t find anything related to the names, please correct me if I’m wrong.
Is the underscores theme just being overly cautious about everything?
esc_html() does two things:
Using it instead of
_e and other i18n functions protects your website from possible errors that can occur with unaware translators who may use text that contains (1) invalid UTF8 characters or (2) unwanted HTML code. Trust me, many translators will be tempted to use some ‘nice’ HTML tags like
<b> etc, even worse, they won’t close them correctly.
esc_html__( string $text, string $domain = 'default' )
Retrieve the translation of $text and escapes it for safe use in HTML output.
esc_html__() use to make internationalize as well as security purpose
The waters are muddy here. OP’s question asks about esc_html(), but his code clearly uses esc_html__().These are not the same. The accepted answer is wrong: it refers to esc_html(), which deals with safely escaping HTML blocks. kanon chowdhury’s reply should be the accepted answer, because OP’s code deals with the I18n aspects of the Underscores WordPress starter theme (which uses the esc_html__() function).