public static Html::escape($text)
Escapes text by converting special characters to HTML entities.
This method escapes HTML for sanitization purposes by replacing the following special characters with their HTML entity equivalents:
Special characters that have already been escaped will be double-escaped (for example, "<" becomes "&lt;"), and invalid UTF-8 encoding will be converted to the Unicode replacement character ("�").
This method is not the opposite of Html::decodeEntities(). For example, this method will not encode "é" to "é", whereas Html::decodeEntities() will convert all HTML entities to UTF-8 bytes, including "é" and "<" to "é" and "<".
When constructing render arrays passing the output of Html::escape() to '#markup' is not recommended. Use the '#plain_text' key instead and the renderer will autoescape the text.
string $text: The input text.
string The text with all HTML special characters converted.
\Drupal\Component\Utility\Html::decodeEntities()
public static function escape($text) { return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); }
© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/core!lib!Drupal!Component!Utility!Html.php/function/Html::escape/8.1.x