Using WordPress ‘esc_html’ PHP filter

The esc_html WordPress PHP filter is used to clean and escape a string for safe output in HTML.

Usage

$safe_text = apply_filters('esc_html', $safe_text, $text);
// your custom code here

Parameters

  • $safe_text: string – The text after it has been escaped.
  • $text: string – The text prior to being escaped.

More information

See WordPress Developer Resources: esc_html

Examples

Custom HTML escaping

Customize the HTML escaping by removing some special characters.

add_filter('esc_html', 'my_custom_esc_html', 10, 2);
function my_custom_esc_html($safe_text, $text) {
  // Remove some special characters
  $special_chars = array('<', '>', '&');
  $safe_text = str_replace($special_chars, '', $text);

  return $safe_text;
}

Escape only specific characters

Escape only specific characters in a string.

add_filter('esc_html', 'escape_specific_chars', 10, 2);
function escape_specific_chars($safe_text, $text) {
  // Escape only the characters '<' and '>'
  $safe_text = str_replace('<', '&lt;', $text);
  $safe_text = str_replace('>', '&gt;', $safe_text);

  return $safe_text;
}

Allow specific HTML tags

Allow specific HTML tags to be displayed in the output.

add_filter('esc_html', 'allow_specific_html_tags', 10, 2);
function allow_specific_html_tags($safe_text, $text) {
  $allowed_tags = array('<b>', '</b>', '<i>', '</i>');
  $safe_text = strip_tags($text, implode('', $allowed_tags));

  return $safe_text;
}

Replace special characters with custom strings

Replace special characters with custom strings in the output.

add_filter('esc_html', 'replace_special_chars_with_custom_strings', 10, 2);
function replace_special_chars_with_custom_strings($safe_text, $text) {
  $replace_pairs = array(
    '<' => '[lt]',
    '>' => '[gt]',
    '&' => '[amp]'
  );

  $safe_text = strtr($text, $replace_pairs);

  return $safe_text;
}

Add a prefix to the escaped text

Add a prefix to the escaped text to differentiate it from the original.

add_filter('esc_html', 'add_prefix_to_escaped_text', 10, 2);
function add_prefix_to_escaped_text($safe_text, $text) {
  $prefix = 'escaped:';

  return $prefix . $safe_text;
}