Consider something like the following:
echo esc_html(
sprintf(
_nx(
'%1$s Comment on “%2$s”',
'%1$s Comments on “%2$s”',
$comment_count,
'Comments Title',
'theme-text-domain'
),
number_format_i18n( $comment_count ),
get_the_title()
)
);
Where you build the entire string with sprintf and escape that.
The coding standards are clear that you should always escape output, and do so as late as possible. As you’ve noticed, however, even the default theme doesn’t adhere to them exactly.
Related Posts:
- Translate a Constant while appeasing WordPress PHPCS
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- PHP Coding Standards, Widgets and Sanitization
- how to escape wp_oembed_get for phpcs
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- How to safely escape data that contains HTML attributes
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- Escaping get_option( ‘time_format’ ) is nesserary?
- How should esc_url be combined with trailingslashit?
- Correct way of using esc_attr() and esc_html()
- esc_html don’t work on variable but do work on pasted text
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Uses for the ‘"’ entity in HTML
- How can I add ” character to a multi line string declaration in C#?
- Illegal Escape Character “\”
- Escape quotes in JavaScript
- Which characters need to be escaped when using Bash?
- Escape string Python for MySQL
- How is \\n and \\\n interpreted by the expanded regular expression?
- Why shouldn’t `'` be used to escape single quotes?
- What does it mean to escape a string?
- Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
- Escaping HTML strings with jQuery
- What’s the Use of ‘\r’ escape sequence?
- How do I use spaces in the Command Prompt?
- How do I escape ampersands in XML so they are rendered as entities in HTML?
- Unrecognized escape sequence for path string containing backslashes
- With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
- Why is WordPress code so “space-happy”?
- What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Why isn’t WordPress part of Framework Interop Group?
- Best Practice for PHP
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- What is the difference between esc_html filter vs attribute_escape filter?
- Escaping and sanitizing SVGs in metabox textarea
- Sanitize and data validation with apply_filters() function
- How to name files of namespaced classes?
- Difference between esc_url() and esc_url_raw()
- How to print translation supported text with HTML URL
- Which WP functions do you need to use esc_html() or esc_url() on?
- Sandwich Coding Standards
- What’s the difference between esc_* functions?
- When to use Exceptions vs Error Objects vs just plain false/null
- What to use instead of wp_kses() in user output
- Actions, functions and conditionals
- WordPress and event-driven programming – what is it about?
- Why does WordPress reverse conditional statements?
- How do translated, escaped strings (esc_attr) in Themes work?
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- How should I document function calls?
- Escaping WP_Query tax_query when term has special character(s)
- Do I need to escape data passed to wp_localize_script()?
- Should messages in WP_Error already be html escaped?
- Avoiding “Usage of a direct database call is discouraged”
- When do I need to use esc_attr when using WordPress internal functions
- Using global $post v/s $GLOBALS[‘post’]
- Nonce in settings API with tabbed navigation
- How to escape html code with html allowed
- Disable escaping html
- What to do when theme and WordPress coding standards conflict?
- esc before saving or before displaying does it matter?
- Do you need to escape hard coded plain text?
- WP Coding standards – escaping the inescapable?
- Escaping built-in WP function return strings
- Updating a post without escaping ampersands?
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?