The esc_xml WordPress PHP function cleans and escapes a string for safe output in XML, by removing invalid or special characters and converting HTML named character references to their equivalent code points.
Usage
$text = 'Your <strong>text</strong> here'; $escaped_text = esc_xml($text); // your custom code here echo $escaped_text;
Parameters
- $safe_text (string): The text after it has been escaped.
- $text (string): The text prior to being escaped.
More information
See WordPress Developer Resources: esc_xml
Examples
Escaping special characters in XML
This example escapes special characters in an XML element.
$text = 'Your <strong>text</strong> here'; $escaped_text = esc_xml($text); echo '<element>' . $escaped_text . '</element>';
Escaping ampersands in URLs
This example escapes ampersands in a URL for use in an XML document.
$url = 'https://example.com/?param1=value1¶m2=value2'; $escaped_url = esc_xml($url); echo '<url>' . $escaped_url . '</url>';
Escaping text in an XML attribute
This example escapes text for use as an XML attribute value.
$attribute_value = 'Text "with" quotes'; $escaped_attribute_value = esc_xml($attribute_value); echo '<element attribute="' . $escaped_attribute_value . '"></element>';
Escaping text in an XML comment
This example escapes text for use in an XML comment.
$comment_text = 'This is a comment with <strong>HTML</strong> tags.'; $escaped_comment_text = esc_xml($comment_text); echo '<!-- ' . $escaped_comment_text . ' -->';
Escaping text in a CDATA section
This example escapes text for use in a CDATA section of an XML document.
$cdata_text = 'This is some text with <strong>HTML</strong> tags.'; $escaped_cdata_text = esc_xml($cdata_text); echo '<![CDATA[' . $escaped_cdata_text . ']]>';
Escaping XML in a custom function
This example demonstrates how to use the esc_xml filter in a custom function that generates an XML sitemap.
function generate_xml_sitemap() {
$posts = get_posts();
echo '<?xml version="1.0" encoding="UTF-8"?>';
echo '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">';
foreach ($posts as $post) {
$title = esc_xml($post->post_title);
$content = esc_xml($post->post_content);
echo '<url>';
echo '<loc>' . get_permalink($post) . '</loc>';
echo '<title>' . $title . '</title>';
echo '<content>' . $content . '</content>';
echo '</url>';
}
echo '</urlset>';
}
Escaping special characters in a user-generated XML feed
This example escapes special characters in user-generated content for an XML feed.
function output_user_feed() {
$user_content = get_user_content();
echo '<?xml version="1.0" encoding="UTF-8"?>';
echo '<feed>';
foreach ($user_content as $item) {
$title = apply_filters('esc_xml', $item['title']);
$description = apply_filters('esc_xml', $item['description']);
echo '<item>';
echo '<title>' . $title . '</title>';
echo '<description>' . $description . '</description>';
echo '</item>';
}
echo '</feed>';
}
Escaping XML in an AJAX response
This example escapes XML in an AJAX response to ensure it’s safely returned to the client.
function process_ajax_request() {
$response_data = array(
'message' => 'Your <strong>request</strong> has been processed.',
'result' => 'success'
);
$response_data['message'] = apply_filters('esc_xml', $response_data['message']);
header('Content-Type: text/xml');
echo '<?xml version="1.0" encoding="UTF-8"?>';
echo '<response>';
echo '<message>' . $response_data['message'] . '</message>';
echo '<result>' . $response_data['result'] . '</result>';
echo '</response>';
}
Escaping XML in custom plugin options
This example escapes XML in custom plugin options before saving them to the database.
function save_plugin_options() {
$options = array(
'custom_text' => $_POST['custom_text'],
'custom_url' => $_POST['custom_url']
);
$options['custom_text'] = esc_xml($options['custom_text']);
$options['custom_url'] = esc_xml($options['custom_url']);
update_option('my_plugin_options', $options);
}
Remove extra spaces from XML text
This code removes extra spaces from the text before escaping it for XML output.
function remove_extra_spaces($safe_text, $text) {
$trimmed_text = preg_replace('/\s+/', ' ', $text);
return esc_xml($trimmed_text);
}
add_filter('esc_xml', 'remove_extra_spaces', 10, 2);
Replace specific words in XML text
This code replaces specific words in the text before escaping it for XML output.
function replace_words($safe_text, $text) {
$replacements = array(
'oldWord' => 'newWord',
'anotherOldWord' => 'anotherNewWord'
);
$updated_text = str_replace(array_keys($replacements), array_values($replacements), $text);
return esc_xml($updated_text);
}
add_filter('esc_xml', 'replace_words', 10, 2);
Convert text to uppercase
This code converts the text to uppercase before escaping it for XML output.
function convert_to_uppercase($safe_text, $text) {
$uppercase_text = strtoupper($text);
return esc_xml($uppercase_text);
}
add_filter('esc_xml', 'convert_to_uppercase', 10, 2);
Add a prefix to XML text
This code adds a prefix to the text before escaping it for XML output.
function add_prefix($safe_text, $text) {
$prefix = 'Prefix: ';
$prefixed_text = $prefix . $text;
return esc_xml($prefixed_text);
}
add_filter('esc_xml', 'add_prefix', 10, 2);
Remove all numbers from XML text
This code removes all numbers from the text before escaping it for XML output.
function remove_numbers($safe_text, $text) {
$text_without_numbers = preg_replace('/\d/', '', $text);
return esc_xml($text_without_numbers);
}
add_filter('esc_xml', 'remove_numbers', 10, 2);