Consider something like the following:
echo esc_html(
sprintf(
_nx(
'%1$s Comment on “%2$s”',
'%1$s Comments on “%2$s”',
$comment_count,
'Comments Title',
'theme-text-domain'
),
number_format_i18n( $comment_count ),
get_the_title()
)
);
Where you build the entire string with sprintf and escape that.
The coding standards are clear that you should always escape output, and do so as late as possible. As you’ve noticed, however, even the default theme doesn’t adhere to them exactly.
Related Posts:
- Translate a Constant while appeasing WordPress PHPCS
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- PHP Coding Standards, Widgets and Sanitization
- how to escape wp_oembed_get for phpcs
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- How to safely escape data that contains HTML attributes
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- Escaping get_option( ‘time_format’ ) is nesserary?
- How should esc_url be combined with trailingslashit?
- Correct way of using esc_attr() and esc_html()
- Uses for the ‘"’ entity in HTML
- How can I add ” character to a multi line string declaration in C#?
- Escape quotes in JavaScript
- How is \\n and \\\n interpreted by the expanded regular expression?
- Why shouldn’t `'` be used to escape single quotes?
- What’s the Use of ‘\r’ escape sequence?
- Unrecognized escape sequence for path string containing backslashes
- What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
- What is the difference between esc_html filter vs attribute_escape filter?
- How to name files of namespaced classes?
- How to print translation supported text with HTML URL
- Why does WordPress reverse conditional statements?
- How do translated, escaped strings (esc_attr) in Themes work?
- How to escape html code with html allowed
- esc before saving or before displaying does it matter?
- Updating a post without escaping ampersands?
- What is WordPress file encoding?
- Escape hexadecimals/rgba values
- Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
- wp_specialchars and wp_specialchars_decode in a shortcode plugin
- Sanitizing comments or escaping comment_text()
- I am not understandinhg $wpdb->prepare correctly
- meta_query works locally but not on live server
- Prevent escaping javascript in visual editor
- Sanitizing, Validating and Escaping in WordPress (Plugin)
- Escape when echoed
- Should I always prefer esc_attr_e & esc_html_e instead of _e?
- WP_Editor – Saving Value into Plugin Option – Stripping HTML
- Is it necessary to escape LIKE term in WP_User_Query?
- Post Content, Special Characters and Filters
- Strange glyphs code error
- Updating post data on save (save_post vs wp_insert_post_data)
- What’s the best practice way of handling custom fields in different post formats?
- What is the safe way to print tracking code / pixel code before tag or tag
- mysql_real_escape_string() vs. esc_sql() in WordPress
- What make possible unit test plugins?
- spaces inside parenthesis
- Do define() statements need phpDocumentor-style docblocks?
- How to escape html generate by a loop
- How to escape multiple attribute at once in WordPress?
- Add HTML to Term Description
- Is there any solution, ide/tool etc., for automatic escaping for WordPress?
- Exit or die in main plugin file breaking php standards recommendation
- Class or function wrapper for plugin code
- Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
- how can i send this to wp_head – escape problem
- How to correctly escape an echo
- Check if almost 10 year old – working code is up to date
- how to unescape wordpress output
- How to use wp_filter_oembed_result?
- WP nonce verification
- Escaping a WPDB Object in One Shot
- Render the metabox input values as HTML
- problem with quotes on new post
- Escaping data from database (users table) is necessary?
- esc_url, esc_url_raw or sanitize_url?
- How can one use variables in a template or template part without polluting the global scope?
- May I know where to edit the tax rate?
- how to escape alert/window.location.replace with variable
- What is best practice when escaping the_title()?
- If necessary, how should wp_get_attachment_image() and its parameters be escaped?
- Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)