Plugins WordPress

Should I escape translated strings in a WordPress plugin or theme?

When writing a WordPress plugin recently, I wasn’t sure whether a translatable text/string is considered safe, or if it needs to escaped before being output.

Here’s a simple example:

The Problem

At first glance, that code looks like it should be safe, however what would happen if the string was translated to contained an angled bracket (< or >)?

That would result in invalid HTML code. Or even worse, what if the translation file contained a malicious <script> tag?

The Solution