By using this site you agree to the use of cookies by Brugbart and our partners.

Learn more

Htmlspecialchars

Reference on PHP Htmlspecialchars – how it is used, and for what is it used.

Edited: 2012-06-05 12:01

The htmlspecialchars function of PHP will replace characters that are special in HTML. Certain characters have special significance in HTML, and should be escaped if you want to use them. Escaping these characters is also done to avoid injections of scripts in comment sections.

  • & (ampersand) replaced with &
  • < (less than) replaced with &lt;
  • > (greater than) replaced with &gt;
  • " (double quote) replaced with &quot; when ENT_NOQUOTES is not set.
  • ' (single quote) replaced with &#039; when ENT_QUOTES is set.

Flags

ENT_COMPATLeaves single quotes intact, but replaces the double quotes.
ENT_QUOTESReplaces both single and double quotes.
ENT_NOQUOTESLeaves both single and double quotes untouched.
ENT_SUBSTITUTEReplace invalid code unit sequences with a unicode replacement character U+FFFD or &#FFFD; instead of returning an empty string.
ENT_DISALLOWEDReplace invalid code points with a unicode replacement, depending on what the given document type allows.
ENT_HTML5Handle code as HTML 5.
ENT_HTML401Handle code as HTML 4.01.
ENT_XML1Handle code as XML 1.
ENT_XHTMLHandle code as XHTML.

Encoding

ISO-8859-1Western European, Latin-1.
ISO-8859-15Western European, Latin-9.
UTF-88-bit Unicode
cp1252Windows specific charset for Western European.

Htmlspecialchars Examples

The below would replace the greater than and less than signs, leaving the qutation marks alone – this allows the tags themselves to be displayed in the browser.

<?php
 echo htmlspecialchars("<h1>Just some HTML</h1>", ENT_NOQUOTES);
?>

To use multiple flags, for example when you want to use ENT_DISALLOWED, and supply a document type as well.

<?php
 echo htmlspecialchars("<h1>Just some HTML</h1>", ENT_QUOTES | ENT_DISALLOWED | ENT_HTML5, 'UTF-8');
?>

This would replace single quotes with &apos; wheres it would otherwise use numerical &#039; entity for other document types.

See also

  1. Special characters in HTML – more on special characters