Secure my “add_settings_field” translation?
No, it is not. Use esc_html__( ‘string’, ‘text_domain’ ) instead (two underscores). Translated strings are unknown input. Unknown input is per default malicious. You don’t know where the language file comes from. It doesn’t even have to be the one you provided, because the path can be filtered or changed with a symlink. Even if … Read more