function Html::escape

Escapes text by converting special characters to HTML entities.

This method escapes HTML for sanitization purposes by replacing the following special characters with their HTML entity equivalents:

& (ampersand) becomes &
" (double quote) becomes "
' (single quote) becomes '
< (less than) becomes <
> (greater than) becomes >

Special characters that have already been escaped will be double-escaped (for example, "<" becomes "&lt;"), and invalid UTF-8 encoding will be converted to the Unicode replacement character ("�").

This method is not the opposite of Html::decodeEntities(). For example, this method will not encode "é" to "é", whereas Html::decodeEntities() will convert all HTML entities to UTF-8 bytes, including "é" and "<" to "é" and "<".

When constructing render arrays passing the output of Html::escape() to '#markup' is not recommended. Use the '#plain_text' key instead and the renderer will autoescape the text.

Parameters

string $text: The input text.

Return value

string The text with all HTML special characters converted.

File

core/lib/Drupal/Component/Utility/Html.php, line 431

Class

Html: Provides DOMDocument helpers for parsing and serializing HTML strings.

Namespace

Drupal\Component\Utility

Code

public static function escape(string $text) : string {
    return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}