WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

_wp_specialchars()

_wp_specialchars( string $text, int|string $quote_style = ENT_NOQUOTES, false|string $charset = false, bool $double_encode = false ): string

In this article

Back to top

This function’s access is marked private. This means it is not intended for use by plugin or theme developers, only in other core functions. It is listed here for completeness.

Converts a number of special characters into their HTML entities.

Description

Specifically deals with: &, <, >, ", and '.

$quote_style can be set to ENT_COMPAT to encode " to &quot;, or ENT_QUOTES to do both. Default is ENT_NOQUOTES where no quotes are encoded.

Parameters

$textstringrequired
The text which is to be encoded.
$quote_styleint|stringoptional
Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES.
Converts single and double quotes, as well as converting HTML named entities (that are not also XML named entities) to their code points if set to ENT_XML1. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set.
Default is ENT_NOQUOTES.

Default:ENT_NOQUOTES

$charsetfalse|stringoptional
The character encoding of the string.

Default:false

$double_encodebooloptional
Whether to encode existing HTML entities.

Default:false

Return

string The encoded text with HTML entities.

Source

function _wp_specialchars( $text, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
	$text = (string) $text;

	if ( 0 === strlen( $text ) ) {
		return '';
	}

	// Don't bother if there are no specialchars - saves some processing.
	if ( ! preg_match( '/[&<>"\']/', $text ) ) {
		return $text;
	}

	// Account for the previous behavior of the function when the $quote_style is not an accepted value.
	if ( empty( $quote_style ) ) {
		$quote_style = ENT_NOQUOTES;
	} elseif ( ENT_XML1 === $quote_style ) {
		$quote_style = ENT_QUOTES | ENT_XML1;
	} elseif ( ! in_array( $quote_style, array( ENT_NOQUOTES, ENT_COMPAT, ENT_QUOTES, 'single', 'double' ), true ) ) {
		$quote_style = ENT_QUOTES;
	}

	// Store the site charset as a static to avoid multiple calls to wp_load_alloptions().
	if ( ! $charset ) {
		static $_charset = null;
		if ( ! isset( $_charset ) ) {
			$alloptions = wp_load_alloptions();
			$_charset   = isset( $alloptions['blog_charset'] ) ? $alloptions['blog_charset'] : '';
		}
		$charset = $_charset;
	}

	if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ), true ) ) {
		$charset = 'UTF-8';
	}

	$_quote_style = $quote_style;

	if ( 'double' === $quote_style ) {
		$quote_style  = ENT_COMPAT;
		$_quote_style = ENT_COMPAT;
	} elseif ( 'single' === $quote_style ) {
		$quote_style = ENT_NOQUOTES;
	}

	if ( ! $double_encode ) {
		/*
		 * Guarantee every &entity; is valid, convert &garbage; into &amp;garbage;
		 * This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
		 */
		$text = wp_kses_normalize_entities( $text, ( $quote_style & ENT_XML1 ) ? 'xml' : 'html' );
	}

	$text = htmlspecialchars( $text, $quote_style, $charset, $double_encode );

	// Back-compat.
	if ( 'single' === $_quote_style ) {
		$text = str_replace( "'", '&#039;', $text );
	}

	return $text;
}

View all references View on Trac View on GitHub

UsesDescription
wp_kses_normalize_entities()wp-includes/kses.php

Converts and fixes HTML entities.

wp_load_alloptions()wp-includes/option.php

Loads and caches all autoloaded options, if available or all options.

Used byDescription
esc_xml()wp-includes/formatting.php

Escaping for XML blocks.

esc_js()wp-includes/formatting.php

Escapes single quotes, ", , &amp;, and fixes line endings.

esc_html()wp-includes/formatting.php

Escaping for HTML blocks.

esc_attr()wp-includes/formatting.php

Escaping for HTML attributes.

wp_specialchars()wp-includes/deprecated.php

Legacy escaping for HTML blocks.

Changelog

VersionDescription
5.5.0$quote_style also accepts ENT_XML1.
1.2.2Introduced.

User Contributed Notes

  1. Skip to note 2 content
    Mahdi Yazdani
    You must log in to vote on the helpfulness of this noteVote results for this note: -1You must log in to vote on the helpfulness of this note

    Escape JSON for use on HTML or attribute text nodes.

    /**
 * Escape JSON for use on HTML or attribute text nodes.
 *
 * @param  string $json JSON to escape.
 * @param  bool   $html True if escaping for HTML text node, false for attributes. Determines how quotes are handled.
 * @return string Escaped JSON.
 */
function wpdocs_esc_json( $json, $html = false ) {
	return _wp_specialchars(
		$json,
		$html ? ENT_NOQUOTES : ENT_QUOTES, // Escape quotes in attribute nodes only.
		'UTF-8',                           // json_encode() outputs UTF-8 (really just ASCII), not the blog's charset.
		true                               // Double escape entities: `&` -> `&amp;`.
	);
}

You must log in before being able to contribute a note or feedback.