[wp-trac] [WordPress Trac] #37057: Creation of an esc_html functions for _n(), _nx(), _ex(), and number_format_i18n()

Tue Sep 7 17:28:08 UTC 2021

#37057: Creation of an esc_html functions for _n(), _nx(), _ex(), and
number_format_i18n()
-------------------------+------------------------------
 Reporter:  zakkath      |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  I18N         |     Version:
 Severity:  normal       |  Resolution:
 Keywords:  needs-patch  |     Focuses:
-------------------------+------------------------------

Comment (by johnbillion):

 Replying to [comment:17 gonssal]:
 > {{{#!php
 > if ( 1 === $count ) {
 >     printf( esc_html__( 'Last thing!', 'my-text-domain' ), $count );
 > } else {
 >     printf( esc_html_n( '%d thing.', '%d things.', $count, 'my-text-
 domain' ), $count );
 > }
 > }}}

 This is still incorrect usage of this function if you want escaped and
 localised output. Granted WordPress core itself doesn't fully escape its
 output so it doesn't lead by example.

 The value of `$count` is not escaped in this example. The output is only
 safe because `$count` is formatted with `%d` thus coercing it to an
 integer, which is not the correct format to use for a user-facing number.
 The number needs to support a thousands separator for correct localisation
 and therefore must use the `%s` format.

 Correct usage of an `_n()` function always requires its output to be
 wrapped in an `esc_*()` function:

 {{{#!php
 if ( 1 === $count ) {
     printf( esc_html__( 'Last thing!', 'my-text-domain' ), $count );
 } else {
     echo esc_html(
         sprintf(
             _n( '%s thing.', '%s things.', $count, 'my-text-domain' ),
             number_format_i18n( $count )
         )
     );
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/37057#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform