function Html::escape

Same name in other branches
  1. 8.9.x core/lib/Drupal/Component/Utility/Html.php \Drupal\Component\Utility\Html::escape()
  2. 10 core/lib/Drupal/Component/Utility/Html.php \Drupal\Component\Utility\Html::escape()
  3. 11.x core/lib/Drupal/Component/Utility/Html.php \Drupal\Component\Utility\Html::escape()

Escapes text by converting special characters to HTML entities.

This method escapes HTML for sanitization purposes by replacing the following special characters with their HTML entity equivalents:

  • & (ampersand) becomes &
  • " (double quote) becomes "
  • ' (single quote) becomes '
  • < (less than) becomes &lt;
  • > (greater than) becomes &gt;

Special characters that have already been escaped will be double-escaped (for example, "&lt;" becomes "&amp;lt;"), and invalid UTF-8 encoding will be converted to the Unicode replacement character ("�").

This method is not the opposite of Html::decodeEntities(). For example, this method will not encode "é" to "&eacute;", whereas Html::decodeEntities() will convert all HTML entities to UTF-8 bytes, including "&eacute;" and "&lt;" to "é" and "<".

When constructing render arrays passing the output of Html::escape() to '#markup' is not recommended. Use the '#plain_text' key instead and the renderer will autoescape the text.

Parameters

string $text: The input text.

Return value

string The text with all HTML special characters converted.

See also

htmlspecialchars()

\Drupal\Component\Utility\Html::decodeEntities()

130 calls to Html::escape()
AggregatorTestBase::getValidOpml in core/modules/aggregator/tests/src/Functional/AggregatorTestBase.php
Creates a valid OPML file from an array of feeds.
AssertBreadcrumbTrait::assertBreadcrumbParts in core/modules/system/tests/src/Functional/Menu/AssertBreadcrumbTrait.php
Assert that a trail exists in the internal browser.
AssertContentTrait::assertEscaped in core/tests/Drupal/KernelTests/AssertContentTrait.php
Passes if the raw text IS found escaped on the loaded page, fail otherwise.
AssertContentTrait::assertNoEscaped in core/tests/Drupal/KernelTests/AssertContentTrait.php
Passes if raw text IS NOT found escaped on loaded page, fail otherwise.
AssertContentTrait::assertNoRaw in core/tests/Drupal/KernelTests/AssertContentTrait.php
Passes if the raw text is NOT found on the loaded page, fail otherwise.

... See full list

File

core/lib/Drupal/Component/Utility/Html.php, line 427

Class

Html
Provides DOMDocument helpers for parsing and serializing HTML strings.

Namespace

Drupal\Component\Utility

Code

public static function escape($text) : string {
    if (is_null($text)) {
        @trigger_error('Passing NULL to ' . __METHOD__ . ' is deprecated in drupal:9.5.0 and will trigger a PHP error from drupal:11.0.0. Pass a string instead. See https://www.drupal.org/node/3318826', E_USER_DEPRECATED);
        return '';
    }
    return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.