4.6.x bootstrap.inc check_plain($text)
4.7.x bootstrap.inc check_plain($text)
5.x bootstrap.inc check_plain($text)
6.x bootstrap.inc check_plain($text)
7.x bootstrap.inc check_plain($text)

Encode special characters in a plain-text string for display as HTML.

Also validates strings as UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.


$text: The text to be checked or processed.

Return value

An HTML safe version of $text, or an empty string if $text is not valid UTF-8.

See also


115 calls to check_plain()
aggregator_categorize_items in modules/aggregator/aggregator.pages.inc
Form builder; build the page list form.
aggregator_form_feed in modules/aggregator/aggregator.admin.inc
Form builder; Generate a form to add/edit feed sources.
aggregator_page_source in modules/aggregator/aggregator.pages.inc
Menu callback; displays all the items captured from a particular feed.
block_admin_display_form in modules/block/block.admin.inc
Generate main blocks administration form.
block_list in modules/block/block.module
Return all blocks in the specified region for the current user.

... See full list

5 string references to 'check_plain'
blogapi_admin_settings in modules/blogapi/blogapi.module
node_form_alter in modules/node/node.module
Implementation of hook_form_alter().
node_menu in modules/node/node.module
Implementation of hook_menu().
taxonomy_form_vocabulary in modules/taxonomy/taxonomy.admin.inc
Display form for adding and editing vocabularies.
user_menu in modules/user/user.module
Implementation of hook_menu().


includes/bootstrap.inc, line 852
Functions that need to be loaded on every Drupal request.


function check_plain($text) {
  static $php525;
  if (!isset($php525)) {
    $php525 = version_compare(PHP_VERSION, '5.2.5', '>=');

  // We duplicate the preg_match() to validate strings as UTF-8 from
  // drupal_validate_utf8() here. This avoids the overhead of an additional
  // function call, since check_plain() may be called hundreds of times during
  // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled
  // internally by PHP in htmlspecialchars().
  // @see http://www.php.net/releases/5_2_5.php
  // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.
  if ($php525) {
    return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
  return preg_match('/^./us', $text) == 1 ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';


forestmars’s picture

Drupal now has a php extension to accelerate check_plain (and also drupal_static.)

It's tested in php 5.3 (but not officially production ready) and should also work under php 5.2.


indytechcook’s picture

Which is for Drupal 7 only.

Andrew Udvare’s picture

Be careful if your strings have ampersands. This wants to replace them with literally '&&' which is certainly invalid. If you notice any characters going wrong with this, str_replace() is a perfectly valid option if you only need to replace 1 or 2 characters with their htmlspecialchars() variant. Otherwise, use htmlspecialchars() on your string.

Heine’s picture

Your comment is misguided.

You must use check_plain on plaintext strings before pasting them into HTML. If you see &amp;amp; appearing on strings containing an ampersand, it means you did some double escaping / called check_plain on a string that's already HTML.

mikehoward’s picture

as of 5.2.3 (according to php.net doc), htmlspecialchars() has a fourth argument: $double_encode = TRUE;
Setting it to FALSE will make check_plain() idempotent. I tested it on PHP 5.3.3 and it appears to work

php -r "echo htmlspecialchars('\'\"&<>&foo&"'<>', ENT_QUOTES, 'UTF-8', FALSE) . \"\n\";"

teodor.sandu’s picture

If you're developing a module and on hook_user at op=load you load an object or array in an existing object property (like i had mistakenly loaded an object into $account->status), you'll get an error from one of the 2 functions in this post's title, which are called from check_plain. I don't know why, but after the load hook there's no data integrity check, and type mismatch errors propagate through to here.

So if you're loading additional data in hook_user at op=load (or hook_user_load in D7) be sure to load it in a custom variable or something, just never in an existing object member (unless you mean it).

The problem is that it's unintuitive to look in hook_user (_load) when those errors occur, and this type of issue can be very tricky to detect. A stack trace doesn't make much sense either and can send you in wrong directions (as it did to me), but who knows, it might also save you. So I hope this helps anyone having the same trouble I did.

Have fun :)

ice5nake’s picture

Why isn't the double encode flag set to false?

I feel that mikehoward raises a good point that check_plain should be idempotent.

mikeker’s picture

Because Drupal 6.x supports PHP versions as far back as 4.4.0