How to disable HTML in WordPress comments
First published on January 31, 2008
By default, WordPress allows certain tags in comments. Therefore commenters can add links, style text in bold and italics, add tables, and more. This can be quite useful.
Unfortunately for this site, almost no one has actually needed to use tags in comments, while many people have pasted code samples in comments only to see them disappear or be interpreted as HTML by the browser.
While you can write something like “<img>” by typing “<img>”, it’s not very convenient for people to do that.
Also, there doesn’t seem to be a quick option to simply disable HTML in WordPress comments. There is a pretty nice plugin that enables commenters to enclose any code in backticks. Anything in backticks is then nicely output in the comment as code. Depending on the nature of your site, this could be a good solution.
My solution for theblog.ca is simply to treat all comments literally, sort of like a plain text e-mail. Whatever the commenter types will be displayed literally. No “certain tags are allowed” or “do this to code samples”. Simple and a bit stubborn.
This is accomplished by way of a plugin that uses the simple htmlspecialchars PHP function. I’ve pasted the necessary plugin code below:
// This will occur when the comment is posted function plc_comment_post( $incoming_comment ) { // convert everything in a comment to display literally $incoming_comment['comment_content'] = htmlspecialchars($incoming_comment['comment_content']); // the one exception is single quotes, which cannot be #039; because WordPress marks it as spam $incoming_comment['comment_content'] = str_replace( "'", ''', $incoming_comment['comment_content'] ); return( $incoming_comment ); } // This will occur before a comment is displayed function plc_comment_display( $comment_to_display ) { // Put the single quotes back in $comment_to_display = str_replace( ''', "'", $comment_to_display ); return $comment_to_display; } add_filter( 'preprocess_comment', 'plc_comment_post', '', 1 ); add_filter( 'comment_text', 'plc_comment_display', '', 1 ); add_filter( 'comment_text_rss', 'plc_comment_display', '', 1 ); add_filter( 'comment_excerpt', 'plc_comment_display', '', 1 ); // This stops WordPress from trying to automatically make hyperlinks on text: remove_filter( 'comment_text', 'make_clickable', 9 );
What this does is it converts single quotes, double quotes, the less than symbol (<), the greater than symbol (>), and ampersands (&) to HTML entities whenever a comment is posted, so that they are displayed as-is when someone views the comment. It then passes the comment off to any subsequent processing that you might have (such as an anti-spam filter) so it should play nicely with other plugins. This also does not affect any subsequent editing by the site administrator, so I can add link tags to a comment in the rare time that a commenter intended to do that.
If you want to implement this plugin quickly, you can download what I call Peter’s Literal Comments. All you have to do is unzip it to your plugins directory, then activate it in the admin interface.
February 1st, 2008 at 2:44 am
Dan says:
Nice, thanks for posting this. I might take this code and spin it out into another plugin, if you have no objections?
I want something that only allows html if you're a registered user, and for non-registered peeps it gets turned off. Shouldn't be too hard to turn yours into that, so it's a good exercise for me
Thanks again!
April 5th, 2008 at 10:52 am
Peter says:
Hi, sorry for the slow reply as there was a problem with commenting on my site. Did you manage to improve the plugin?
January 19th, 2009 at 5:14 am
Winwab says:
Thanks for this valuable plugin. Do you have the latest version of this?
January 19th, 2009 at 8:26 am
Peter says:
Hi Winwab, as far as I know, nobody has made a version newer than what you see here. Did you have trouble with the current version?
January 21st, 2009 at 10:21 am
Ryan Stille says:
This works great, thank you. I have a technical blog, and I have always had problems with people posting code in comments.
One small change I made to your plugin was to add indentation. I added these two lines:
// RPS mod. Change tabs and groups of 2 spaces into 2 nbsp’s so things will indent properly
$incoming_comment['comment_content'] = preg_replace( "/\t/", ‘ ’, $incoming_comment['comment_content'] );
$incoming_comment['comment_content'] = str_replace( " ", ‘ ’, $incoming_comment['comment_content'] );
January 21st, 2009 at 1:47 pm
Peter says:
Hi Ryan, thanks for sharing your additions! About the grouping of two spaces — I think the only way to preserve spacing would be to have in place of every space, because if someone started a line with only one space, that wouldn’t be preserved. Or is there a better way?
January 21st, 2009 at 2:05 pm
Ryan Stille says:
Most code isn’t indented with only one space – in the code I’ve seen anyway, its either 2, 4, 8 spaces or a tab. Even if a commenter uses three spaces this mod should still work.
It does increase the size of the page though (replacing a 1 character space with a 5 character code). A minor trade off in my opinion. If you are using compression in your webserver the difference will be negligible anyway.
BTW since we are talking about WordPress plugins, you might want to think about the "Subscribe to Comments" plug in. I just happened to think to check back on this today, to see if you had followed up on my comment, but I could have just has easily forgotten about it and never checked back. With the Subscribe to Comments plugin I can check a box when I make a comment, then I’ll get notifications when other people make comments on the same post.
http://txfx.net/code/wordpress/subscribe-to-comments/
January 21st, 2009 at 8:08 pm
Peter says:
You’re right. And actually, the use case for wanting to explicitly specify just one space occurs only after a new line, so we could add this rule after your rules:
$incoming_comment['comment_content'] = preg_replace( "/\n\s/", "\n ", $incoming_comment['comment_content'] );
Thanks for the tip about the Subscribe to Comments plugin. I’ve considered it a few times, and need to psyche myself up to deal with managing bounced e-mails — something I might eventually give in to.
February 27th, 2009 at 5:16 am
Benjamin Flesch says:
Nice this is exactly what I’ve been searching for Thank you!
April 10th, 2009 at 9:56 am
Exam Philippines says:
cool! thanks for sharing. by the way, how can i disable the URLs in my comments?
Reply from Peter: If you don’t want to display what people write in the “URL” field, you can just modify you theme’s relevant template for that. As for disabling the auto-linking, that’s done by WordPress in a function called “make_clickable”; by default you can add this line to a plugin:
remove_filter(‘comment_text’, ‘make_clickable’, 9);
May 12th, 2009 at 6:25 am
What is Name ? says:
This is Script Testing On ur site.
<img href="http://www.google.co.in/intl/en_com/images/logo_plain.png">Google</a>
August 9th, 2009 at 12:56 am
Chuck says:
Thanks a lot for creating this plug-in. It’s very helpful to have this feature, and yours was the only one I found after searching for some time. Thanks again!
August 12th, 2009 at 11:14 am
Bobby says:
Does this still work? I uploaded the plugin to my plugin folder and pictures and html still is posted to comments. Any ideas?
Reply from Peter: Yup, as of now it’s been tested to work up to WordPress 2.8. This may be a silly question, but did you actually activate the plugin?
September 10th, 2009 at 12:06 pm
Andreas says:
Hi Peter, thank you for this nice Plugin
December 7th, 2009 at 3:05 pm
Andreas says:
I just discovered that WP executes javascript in comments but quickly found your plugin to solve this issue. Thanks!
February 24th, 2010 at 8:56 am
Carrie says:
My blogs as you can see on my name are riddled with comment like that which include html links etc. This plugin of yours is a lifesaver.
One question though, would it fixed old comments as well?
Reply from Peter: Unfortunately, it does not fix old comments, but you could modify the plugin to only run when comments are displayed (thus fixing all comments). To do that, you would edit the plugin, remove the plc_comment_post function (and the associated filter at the bottom) and then replace the contents of the plc_comment_display function with:
$comment_to_display = htmlspecialchars( $comment_to_display );
return $comment_to_display;
December 24th, 2010 at 6:54 am
Jahangir says:
Thanks for a great plugin. Using it on my site
July 4th, 2011 at 9:13 am
Steve says:
using the photocrati theme on this site I have not been able to get the plugin to work?
Reply from Peter: As far as I know, there isn’t anything theme-specific in this plugin, unless the theme has for some reason disabled common WordPress code hooks (which is very rare).
February 6th, 2012 at 2:09 pm
omar says:
thanks man, i was looking for this and now found it on your blog.
April 16th, 2012 at 11:26 am
Alshe Dupur says:
WOW.. Its work for me. Thank you so much…
February 1st, 2013 at 11:28 am
Tom says:
Peter, thank you very much for your "Literal Comments" plugin! It works great and improves the security of my blog.
Occasionally however, I want to post a link in a comment. Is there any way by which I could override the plugin in my own comments? Maybe this could be a nice improvement for a future version – an option to override the plugin for logged-in users?
Reply from Peter: If you edit a comment in the WordPress admin panel, I believe that it bypasses the transformations that my plugin does.
October 24th, 2013 at 12:18 pm
Mike says:
This plugin doesn’t prevent visitors from posting <strong>strong</strong> comments?
Reply from Peter: It does prevent all tags, but only through the front-end. You can edit comments in the back-end without limitation.
June 23rd, 2015 at 7:54 am
Javier says:
Oh god, this is incredible, I have searched for this during hours. Thanks a lot!
Now, how can I disallow the post of the comment if it have HTML tags?
Reply from Peter: One option is to manage that with JavaScript. Or you could completely strip the tags instead of escaping them like the post mentions. You could set up a plugin to give an error message when it finds an HTML tag, although in that case a JavaScript solution might be a nicer user experience, since they could be warned about it before they submit something.