Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?

Why, in the register_nav_menus() functions (from Twenty Twenty One functions.php), do we find esc_html__() on the primary menu but not on secondary menu, like below :

    register_nav_menus(
        array(
            'primary' = esc_html__( 'Primary menu', 'twentytwentyone' ),
            'footer'  = __( 'Secondary menu', 'twentytwentyone' ),
        )
    );

I understand that esc_html() retrieve the translation of $text and escapes it for safe use in HTML output, as explained in WordPress codex, but why is it used on the first menu and not on the second, that's what i cannot figure out.

Is there a specific rule that I missed ?

Topic escaping Wordpress

Category Web

1
answered at

The simple answer appears to be human error. Originally, during development, Twenty Twenty One had one menu, registered like this:

'primary' => __( 'Primary Navigation', 'twentytwentyone' ),

Then somebody went through and added escaping to many __() throughout the theme, resulting in this:

'primary' => esc_html__( 'Primary Navigation', 'twentytwentyone' ),

Then, later on, a second menu was added, like this:

'primary' => esc_html__( 'Primary Navigation', 'twentytwentyone' ),
'footer'  => __( 'Footer Navigation', 'twentytwentyone' ),

And nobody seems to have noticed the discrepancy.

It's often considered best to escape "late", as described in this WordPress VIP article. That is, as close to output as possible. So it's important to note that these lines are not outputting anything. They are just defining the strings to be output later. However, this is where WordPress outputs these values:

<label for="locations-<?php echo esc_attr( $location ); ?>"><?php echo $description; ?></label>

Note that $description, which is the menu name, is not escaped. Therefore, since editing WordPress core is not an option, it would be considered best practice to escape the menu name when registering it.

So should the secondary menu be escaped. Yes. Is it? No. Why? Human error.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.