Automatically Escape HTML Entities of Code Fragments in Comments

Update: Ryan has made this into a plugin — Code Comments.

Add this to your theme’s functions.php to allow readers post fragments of code in their comments (wrapped in <code>...</code>) which are automatically encoded (think of < and &lt;)

add_filter('pre_comment_content', 'encode_code_in_comment');

function encode_code_in_comment($source) {
  $encoded = preg_replace_callback('/<code>(.*?)<\/code>/ims',
    '$matches[1] = preg_replace(
        array("/^[\r|\n]+/i", "/[\r|\n]+$/i"), "",
      return "<code>" . esc_html( $matches[1] ) . "</code>";'

  if ($encoded)
    return $encoded;
    return $source;

Worth noting:

  • Everything wrapped in <code>...</code> is encoded.
  • Line breaks after opening <code> and before closing </code> are removed in order to avoid unnecessary <br /> tags.


  1. Ryan says:

    Awesome, thanks for the code :)

    It’s annoying having to recode everything just to post it on someone else’s site.

  2. Ryan says:

    I turned this into a plugin for my own use and figured I may as well make it available for anyone with a use for it …

    @Kaspars – if you would like to release a plugin to do this yourself, just let me know and I’ll point visitors to my own blog post over to your site instead of using my version.

    • Kaspars says:

      This is awesome, Ryan — thanks for turning it into a plugin. This is the exact reason why I love open source.

      The only suggestion I have is that you upload it to the official repository.

  3. Ryan says:

    Yep, I’ll upload it to the repository :)

    I was actually waiting to check that you weren’t planning to do it youself (I didn’t want to step on your toes).

    I’ll post back here once it’s uploaded to the repository … which will require me writing a readme.txt file for it first.

  4. Steven says:

    You should use esc_html() as the way you are using wp_specialchars() is vulnerable to XSS.

  5. Isaac says:

    Nice.. I searched on html entities.. and as a non-programmer I use a webtool

  6. Thank you for this! It seems that by default, HTML in WordPress comments causes strange things. I just want people’s comments to be saved as is, regardless of what they type. Why isn’t the following a default function of WordPress?

    function encode_code_in_comment($source) {
        return esc_html($source);
    add_filter('pre_comment_content', 'encode_code_in_comment');
  7. Kaspars says:

    Robert, I think the reason is that WordPress allows users to use basic HTML for things like strong, em and even bulleted lists. However, I have rarely seen people actually taking time to use those tags, so your solution seems to be good.

Leave a Reply