esc_html_e() vs _e()
Created by: cfoellmann
In most cases esc_html_e()
is overkill. The language files should be considered safe code, right?
So if there is not (s)printf() injecting some dynamic string _e()
is sufficent and secure.
Imported comments:
By rmccue on 2014-12-17 23:18:29 UTC
In most cases esc_html_e() is overkill. The language files should be considered safe code, right?
The issue is more of outputting a text string onto a HTML page. While it might not contain any special characters in English, when translated, it's possible that it could (for example, some Asian languages use <>
for quotations).