Summary
Config strings that are escaped with esc_html__() and then rendered as text by the React hub show their HTML entities literally. The Starter Sites empty state renders:
Unfortunately, we don**'**t have any starter content to go with your theme right now.
(the apostrophe shows as the raw entity ').
Repro
Integrated-test site pixelgrade-integrated-check (http://localhost:8889) — Assistant + Plus active at main, Anima LT, unlicensed → Appearance → Pixelgrade → Starter Sites with no starter catalog.
Root cause
includes/default-plugin-config.php:449
'noSources' => esc_html__( 'Unfortunately, we don\'t have any starter content to go with your theme right now.', '__plugin_txtd' ),
esc_html__() encodes ' → '. The value is localized to JS and rendered as a React text node; React does not decode entities (and escapes again on render), so the entity is shown verbatim. Pre-escaping strings destined for React double-encodes them.
Fix
For strings that are localized and rendered as React text, use __() (not esc_html__()) — React handles escaping. Audit the localized config for other esc_html__() values that feed React text nodes (same pattern, only visible when the string contains ', &, <, >, quotes).
Severity
Minor / cosmetic.
Summary
Config strings that are escaped with
esc_html__()and then rendered as text by the React hub show their HTML entities literally. The Starter Sites empty state renders:(the apostrophe shows as the raw entity
').Repro
Integrated-test site
pixelgrade-integrated-check(http://localhost:8889) — Assistant + Plus active atmain, Anima LT, unlicensed → Appearance → Pixelgrade → Starter Sites with no starter catalog.Root cause
includes/default-plugin-config.php:449esc_html__()encodes'→'. The value is localized to JS and rendered as a React text node; React does not decode entities (and escapes again on render), so the entity is shown verbatim. Pre-escaping strings destined for React double-encodes them.Fix
For strings that are localized and rendered as React text, use
__()(notesc_html__()) — React handles escaping. Audit the localized config for otheresc_html__()values that feed React text nodes (same pattern, only visible when the string contains',&,<,>, quotes).Severity
Minor / cosmetic.