When writing a WordPress plugin recently, I wasn’t sure whether a translatable text/string is considered safe, or if it needs to escaped before being output.
Here’s a simple example:
The Problem
At first glance, that code looks like it should be safe, however what would happen if the string was translated to contained an angled bracket (< or >)?
That would result in invalid HTML code. Or even worse, what if the translation file contained a malicious <script> tag?