Alert: This function’s access is marked private. This means it is not intended for use by plugin or theme developers, only in other core functions. It is listed here for completeness.

_wp_specialchars( string $string, int|string $quote_style = ENT_NOQUOTES, false|string $charset = false, bool $double_encode = false ): string

Converts a number of special characters into their HTML entities.


Description

Specifically deals with: &, <, >, ", and '.

$quote_style can be set to ENT_COMPAT to encode " to &quot;, or ENT_QUOTES to do both. Default is ENT_NOQUOTES where no quotes are encoded.


Top ↑

Parameters

$string string Required
The text which is to be encoded.
$quote_style int|string Optional
Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES.
Converts single and double quotes, as well as converting HTML named entities (that are not also XML named entities) to their code points if set to ENT_XML1. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set.
Default is ENT_NOQUOTES.

Default: ENT_NOQUOTES

$charset false|string Optional
The character encoding of the string.

Default: false

$double_encode bool Optional
Whether to encode existing HTML entities.

Default: false


Top ↑

Return

string The encoded text with HTML entities.


Top ↑

Source

File: wp-includes/formatting.php. View all references

function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
	$string = (string) $string;

	if ( 0 === strlen( $string ) ) {
		return '';
	}

	// Don't bother if there are no specialchars - saves some processing.
	if ( ! preg_match( '/[&<>"\']/', $string ) ) {
		return $string;
	}

	// Account for the previous behaviour of the function when the $quote_style is not an accepted value.
	if ( empty( $quote_style ) ) {
		$quote_style = ENT_NOQUOTES;
	} elseif ( ENT_XML1 === $quote_style ) {
		$quote_style = ENT_QUOTES | ENT_XML1;
	} elseif ( ! in_array( $quote_style, array( ENT_NOQUOTES, ENT_COMPAT, ENT_QUOTES, 'single', 'double' ), true ) ) {
		$quote_style = ENT_QUOTES;
	}

	// Store the site charset as a static to avoid multiple calls to wp_load_alloptions().
	if ( ! $charset ) {
		static $_charset = null;
		if ( ! isset( $_charset ) ) {
			$alloptions = wp_load_alloptions();
			$_charset   = isset( $alloptions['blog_charset'] ) ? $alloptions['blog_charset'] : '';
		}
		$charset = $_charset;
	}

	if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ), true ) ) {
		$charset = 'UTF-8';
	}

	$_quote_style = $quote_style;

	if ( 'double' === $quote_style ) {
		$quote_style  = ENT_COMPAT;
		$_quote_style = ENT_COMPAT;
	} elseif ( 'single' === $quote_style ) {
		$quote_style = ENT_NOQUOTES;
	}

	if ( ! $double_encode ) {
		// Guarantee every &entity; is valid, convert &garbage; into &amp;garbage;
		// This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
		$string = wp_kses_normalize_entities( $string, ( $quote_style & ENT_XML1 ) ? 'xml' : 'html' );
	}

	$string = htmlspecialchars( $string, $quote_style, $charset, $double_encode );

	// Back-compat.
	if ( 'single' === $_quote_style ) {
		$string = str_replace( "'", '&#039;', $string );
	}

	return $string;
}


Top ↑

Changelog

Changelog
Version Description
5.5.0 $quote_style also accepts ENT_XML1.
1.2.2 Introduced.

Top ↑

User Contributed Notes

  1. Skip to note 1 content
    Contributed by Mahdi Yazdani

    Escape JSON for use on HTML or attribute text nodes.

    /**
     * Escape JSON for use on HTML or attribute text nodes.
     *
     * @param  string $json JSON to escape.
     * @param  bool   $html True if escaping for HTML text node, false for attributes. Determines how quotes are handled.
     * @return string Escaped JSON.
     */
    function wpdocs_esc_json( $json, $html = false ) {
    	return _wp_specialchars(
    		$json,
    		$html ? ENT_NOQUOTES : ENT_QUOTES, // Escape quotes in attribute nodes only.
    		'UTF-8',                           // json_encode() outputs UTF-8 (really just ASCII), not the blog's charset.
    		true                               // Double escape entities: `&` -> `&amp;`.
    	);
    }

You must log in before being able to contribute a note or feedback.