How to disable HTML in WordPress comments

First published on January 31, 2008

By default, WordPress allows certain tags in comments. Therefore commenters can add links, style text in bold and italics, add tables, and more. This can be quite useful.

Unfortunately for this site, almost no one has actually needed to use tags in comments, while many people have pasted code samples in comments only to see them disappear or be interpreted as HTML by the browser.

While you can write something like “<img>” by typing “&lt;img&gt;”, it’s not very convenient for people to do that.

Also, there doesn’t seem to be a quick option to simply disable HTML in WordPress comments. There is a pretty nice plugin that enables commenters to enclose any code in backticks. Anything in backticks is then nicely output in the comment as code. Depending on the nature of your site, this could be a good solution.

My solution for is simply to treat all comments literally, sort of like a plain text e-mail. Whatever the commenter types will be displayed literally. No “certain tags are allowed” or “do this to code samples”. Simple and a bit stubborn.

This is accomplished by way of a plugin that uses the simple htmlspecialchars PHP function. I’ve pasted the necessary plugin code below:

// This will occur when the comment is posted
function plc_comment_post( $incoming_comment ) {

	// convert everything in a comment to display literally
	$incoming_comment['comment_content'] = htmlspecialchars($incoming_comment['comment_content']);

	// the one exception is single quotes, which cannot be #039; because WordPress marks it as spam
	$incoming_comment['comment_content'] = str_replace( "'", '&apos;', $incoming_comment['comment_content'] );

	return( $incoming_comment );

// This will occur before a comment is displayed
function plc_comment_display( $comment_to_display ) {

	// Put the single quotes back in
	$comment_to_display = str_replace( '&apos;', "'", $comment_to_display );

	return $comment_to_display;

add_filter( 'preprocess_comment', 'plc_comment_post', '', 1 );
add_filter( 'comment_text', 'plc_comment_display', '', 1 );
add_filter( 'comment_text_rss', 'plc_comment_display', '', 1 );
add_filter( 'comment_excerpt', 'plc_comment_display', '', 1 );
// This stops WordPress from trying to automatically make hyperlinks on text:
remove_filter( 'comment_text', 'make_clickable', 9 );

What this does is it converts single quotes, double quotes, the less than symbol (<), the greater than symbol (>), and ampersands (&) to HTML entities whenever a comment is posted, so that they are displayed as-is when someone views the comment. It then passes the comment off to any subsequent processing that you might have (such as an anti-spam filter) so it should play nicely with other plugins. This also does not affect any subsequent editing by the site administrator, so I can add link tags to a comment in the rare time that a commenter intended to do that.

If you want to implement this plugin quickly, you can download what I call Peter’s Literal Comments. All you have to do is unzip it to your plugins directory, then activate it in the admin interface.


23 Responses to “How to disable HTML in WordPress comments”

  1. Dan says:

    Nice, thanks for posting this. I might take this code and spin it out into another plugin, if you have no objections?

    I want something that only allows html if you're a registered user, and for non-registered peeps it gets turned off. Shouldn't be too hard to turn yours into that, so it's a good exercise for me :)

    Thanks again!

  2. Peter says:

    Hi, sorry for the slow reply as there was a problem with commenting on my site. Did you manage to improve the plugin?

  3. Winwab says:

    Thanks for this valuable plugin. Do you have the latest version of this?

  4. Peter says:

    Hi Winwab, as far as I know, nobody has made a version newer than what you see here. Did you have trouble with the current version?

  5. Ryan Stille says:

    This works great, thank you. I have a technical blog, and I have always had problems with people posting code in comments.

    One small change I made to your plugin was to add indentation. I added these two lines:

    // RPS mod. Change tabs and groups of 2 spaces into 2 nbsp’s so things will indent properly
    $incoming_comment['comment_content'] = preg_replace( "/\t/", ‘&nbsp;&nbsp;&nbsp;&nbsp;’, $incoming_comment['comment_content'] );
    $incoming_comment['comment_content'] = str_replace( "  ", ‘&nbsp;&nbsp;’, $incoming_comment['comment_content'] );

  6. Peter says:

    Hi Ryan, thanks for sharing your additions! About the grouping of two spaces — I think the only way to preserve spacing would be to have &nbsp; in place of every space, because if someone started a line with only one space, that wouldn’t be preserved. Or is there a better way?

  7. Ryan Stille says:

    Most code isn’t indented with only one space – in the code I’ve seen anyway, its either 2, 4, 8 spaces or a tab. Even if a commenter uses three spaces this mod should still work.

    It does increase the size of the page though (replacing a 1 character space with a 5 character code). A minor trade off in my opinion. If you are using compression in your webserver the difference will be negligible anyway.

    BTW since we are talking about WordPress plugins, you might want to think about the "Subscribe to Comments" plug in. I just happened to think to check back on this today, to see if you had followed up on my comment, but I could have just has easily forgotten about it and never checked back. With the Subscribe to Comments plugin I can check a box when I make a comment, then I’ll get notifications when other people make comments on the same post.

  8. Peter says:

    You’re right. And actually, the use case for wanting to explicitly specify just one space occurs only after a new line, so we could add this rule after your rules:

    $incoming_comment['comment_content'] = preg_replace( "/\n\s/", "\n&nbsp;", $incoming_comment['comment_content'] );

    Thanks for the tip about the Subscribe to Comments plugin. I’ve considered it a few times, and need to psyche myself up to deal with managing bounced e-mails — something I might eventually give in to.

  9. Benjamin Flesch says:

    Nice this is exactly what I’ve been searching for :-) Thank you!

  10. Exam Philippines says:

    cool! thanks for sharing. by the way, how can i disable the URLs in my comments?

    Reply from Peter: If you don’t want to display what people write in the “URL” field, you can just modify you theme’s relevant template for that. As for disabling the auto-linking, that’s done by WordPress in a function called “make_clickable”; by default you can add this line to a plugin:

    remove_filter(‘comment_text’, ‘make_clickable’, 9);

  11. What is Name ? says:

    This is Script Testing On ur site.

    <img href="">Google</a>

  12. Chuck says:

    Thanks a lot for creating this plug-in. It’s very helpful to have this feature, and yours was the only one I found after searching for some time. Thanks again!

  13. Bobby says:

    Does this still work? I uploaded the plugin to my plugin folder and pictures and html still is posted to comments. Any ideas?

    Reply from Peter: Yup, as of now it’s been tested to work up to WordPress 2.8. This may be a silly question, but did you actually activate the plugin?

  14. Andreas says:

    Hi Peter, thank you for this nice Plugin :)

  15. Andreas says:

    I just discovered that WP executes javascript in comments but quickly found your plugin to solve this issue. Thanks!

  16. Carrie says:

    My blogs as you can see on my name are riddled with comment like that which include html links etc. This plugin of yours is a lifesaver.

    One question though, would it fixed old comments as well?

    Reply from Peter: Unfortunately, it does not fix old comments, but you could modify the plugin to only run when comments are displayed (thus fixing all comments). To do that, you would edit the plugin, remove the plc_comment_post function (and the associated filter at the bottom) and then replace the contents of the plc_comment_display function with:

    $comment_to_display = htmlspecialchars( $comment_to_display );
    return $comment_to_display;

  17. Jahangir says:

    Thanks for a great plugin. Using it on my site :)

  18. Steve says:

    using the photocrati theme on this site I have not been able to get the plugin to work?

    Reply from Peter: As far as I know, there isn’t anything theme-specific in this plugin, unless the theme has for some reason disabled common WordPress code hooks (which is very rare).

  19. omar says:

    thanks man, i was looking for this and now found it on your blog.

  20. Alshe Dupur says:

    WOW.. Its work for me. Thank you so much… :)

  21. Tom says:

    Peter, thank you very much for your "Literal Comments" plugin! It works great and improves the security of my blog.

    Occasionally however, I want to post a link in a comment. Is there any way by which I could override the plugin in my own comments? Maybe this could be a nice improvement for a future version – an option to override the plugin for logged-in users?

    Reply from Peter: If you edit a comment in the WordPress admin panel, I believe that it bypasses the transformations that my plugin does.

  22. Mike says:

    This plugin doesn’t prevent visitors from posting <strong>strong</strong> comments?

    Reply from Peter: It does prevent all tags, but only through the front-end. You can edit comments in the back-end without limitation.

  23. Javier says:

    Oh god, this is incredible, I have searched for this during hours. Thanks a lot!

    Now, how can I disallow the post of the comment if it have HTML tags?

    Reply from Peter: One option is to manage that with JavaScript. Or you could completely strip the tags instead of escaping them like the post mentions. You could set up a plugin to give an error message when it finds an HTML tag, although in that case a JavaScript solution might be a nicer user experience, since they could be warned about it before they submit something.

Speak your mind

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word