7 | | * Note that we don't need `esc_html__()` here, as core translations are considered safe, see previous discussions in comment:10:ticket:30724, #47385, #48161, #49190, #49535, #49536, #49537, etc. Overzealous escaping seems to come from `_s` or other themes following the WordPress.com VIP guidelines, or Theme Check suggestions, however not all of them apply to bundled themes. Previous bundled themes only escaped string when necessary (e.g. when used in attributes), but almost never as a security precaution with `esc_html()`. It looks like some new instances were introduced lately though, specifically with block patterns. Removing unnecessary escaping from Twenty Twenty-One would be something for another ticket. |
| 7 | * Note that we don't need `esc_html__()` here, as core translations are considered safe, see previous discussions in comment:10:ticket:30724, #47385, #48161, #49190, #49535, #49536, #49537, etc. Overzealous escaping seems to come from `_s` or other themes following the WordPress.com VIP guidelines, or Theme Check suggestions, however not all of them apply to bundled themes. Previous bundled themes only escaped strings when necessary (e.g. when used in attributes), but almost never as a security precaution with `esc_html()`. It looks like some new instances were introduced lately though, specifically with block patterns. Removing unnecessary escaping from Twenty Twenty-One would be something for another ticket. |