Do you need to escape hard coded plain text?

The security risk here is not about the plain text but about translation. You should note that esc_html_e is not only a function for escaping HTML but also for localization (l10n). I.e. other people can translate this String but you don’t know what the translation would be. It is possible that somebody translates the String and adds a link or some malicious HTML. Therefore it is better so escape HTML in this case.

Related Posts:

  1. Should I escape wordpress functions like the_title, the_excerpt, the_content
  2. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  3. What is the difference between esc_html filter vs attribute_escape filter?
  4. What’s the difference between esc_* functions?
  5. What to use instead of wp_kses() in user output
  6. How to escape custom css?
  7. Do I need to use the esc_html() function on hard coded links?
  8. How Could I sanitize the receive data from this code
  9. Something is unescaping all html entities before output to browser [closed]
  10. Do we need to escape data that we receive from theme options?
  11. should I escape a literal url added in functions.php
  12. how to sanitizing $_POST with the correct way?
  13. How to redirect all HTTP requests to HTTPS
  14. What characters must be escaped in HTML 5?
  15. what is a auth_user_file.txt?
  16. Is moving wp-config outside the web root really beneficial?
  17. What’s the easiest way to stop WP from ever logging me out
  18. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  19. Which WP functions do you need to use esc_html() or esc_url() on?
  20. How to set up fail2ban with WordFence?
  21. Which KSES should be used and when?
  22. How to remove “Connection Information” requirement on localhost install of WP on MACOSX
  23. WordPress “Site Health Status” trust it or myself for its security advice?
  24. Stop wordpress automatically escaping $_POST data
  25. Will my WordPress site become vulnerable to Cross-Site Scripting (XSS) if I allow img tags in the comments area?
  26. Is WP vulnerable when updating plugins or themes?
  27. how can i embed wordpress backend in iframe
  28. Handling nonces for actions from guests to logged-in users
  29. Can I force a password change?
  30. How brute-forcer knows that the password is cracked for target username?
  31. wp_insert_post disable HTML filter
  32. What is pclzip.lib.php file that wordfence think it’s a malicious code
  33. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  34. How to disable XML-RPC from Linux command-line in a total way?
  35. How to remove javascript malware in wordpress site [closed]
  36. Securing my WordPress Files and Directories
  37. Restricting access to content
  38. Single sign-on: wp_authenticate_user vs wp_authenticate
  39. How to allow internal links using wp_kses filtration
  40. How does Cross Site Scripting (XSS) work exactly? [closed]
  41. Relative security of different releases of WordPress
  42. How does the “authentication unique keys and salts” feature work?
  43. vs WordPress Security
  44. esc_html__ security : what for in this example?
  45. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  46. Using HTACCESS for Secret Access
  47. wp-config.php being written by attacker
  48. Definitive wordpress directory ownership and permissions on linux
  49. XML-RPC errors they know my username?
  50. Is [admin / admin] acceptable for all local websites?
  51. Simple Online Payment for Event Registration [closed]
  52. What may be causing failure of auto-install features in WordPress (v3.0.3)?
  53. Client side HTTP parameter pollution (reflected)
  54. Local file inclusion critical security issue [closed]
  55. Malware script in database post table only? [closed]
  56. Best practices to assert current_user_can() with guests
  57. wordpress website host price and security [closed]
  58. XMLRPC slow and weird websites/services
  59. Is it safe to hand over the admin rights?
  60. how much information can we hide when using wordpress cms?
  61. How to find exploited wordpress plugin [closed]
  62. How I can open back door for myself?
  63. System setting changed by system user
  64. Does meta-data need to be sanitized?
  65. How can I force a specific password?
  66. Why would you use esc_attr() on internal functions?
  67. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  68. Who updates the wp-admin/core file?
  69. How to safely return the HTML?
  70. How WordPress sanitizes post content on save? Or it doesn’t?
  71. Does this code indicate an exploit?
  72. Checking for origin of a xmlrpc request
  73. wp-content – permissions for files/folders created by apache
  74. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  75. User generated content and security
  76. Monitor wordpress all external calls
  77. HSTS header not being added correctly
  78. how to protect wordpress content from crawler
  79. Securing WordPress running on Azure platform
  80. Can WordPress admin user + database credentials be used to gain Cpanel or FTP access?
  81. Should I worry about SQL injection when using REST API?
  82. Spam Registrations
  83. Links to root domain from search engines don’t work, but direct links and links from other referrers do
  84. How can I backup my site if it gets hacked?
  85. How can I have more confidence that WP plugins aren’t getting and storing user data?
  86. Secure Multiple WordPress Installations on shared hosting
  87. Any way to disable /wp-login.php redirecting to the site folder?
  88. Able to go to WordPress admin even after deleting auth cookies from request headers
  89. Is WordPress ready for GDPR compliance? [closed]
  90. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  91. Competitor is somehow accessing MetaData on a hidden WordPress site
  92. WordPress Hacks/Defacing [closed]
  93. Bank account number and Sort Code in a form [closed]
  94. Directory to store secure file
  95. How can I give someone server access to only duplicate and modify a site?
  96. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  97. How can I implement ansible with per-host passwords, securely?
  98. Why should I firewall servers?
  99. Does drilling a hole into a hard drive suffice to make its data unrecoverable?
  100. Can you alter the default wordpress strong password requirements?

Leave a Comment