The htmlspecialchars function of PHP will replace characters that are special in HTML. Certain characters have special significance in HTML, and should be escaped if you want to use them. Escaping these characters is also done to avoid injections of scripts in comment sections.
- & (ampersand) replaced with &
- < (less than) replaced with <
- > (greater than) replaced with >
- " (double quote) replaced with " when ENT_NOQUOTES is not set.
- ' (single quote) replaced with ' when ENT_QUOTES is set.
|ENT_COMPAT||Leaves single quotes intact, but replaces the double quotes.|
|ENT_QUOTES||Replaces both single and double quotes.|
|ENT_NOQUOTES||Leaves both single and double quotes untouched.|
|ENT_SUBSTITUTE||Replace invalid code unit sequences with a unicode replacement character U+FFFD or &#FFFD; instead of returning an empty string.|
|ENT_DISALLOWED||Replace invalid code points with a unicode replacement, depending on what the given document type allows.|
|ENT_HTML5||Handle code as HTML 5.|
|ENT_HTML401||Handle code as HTML 4.01.|
|ENT_XML1||Handle code as XML 1.|
|ENT_XHTML||Handle code as XHTML.|
|ISO-8859-1||Western European, Latin-1.|
|ISO-8859-15||Western European, Latin-9.|
|cp1252||Windows specific charset for Western European.|
The below would replace the greater than and less than signs, leaving the qutation marks alone – this allows the tags themselves to be displayed in the browser.
<?php echo htmlspecialchars("<h1>Just some HTML</h1>", ENT_NOQUOTES); ?>
To use multiple flags, for example when you want to use ENT_DISALLOWED, and supply a document type as well.
<?php echo htmlspecialchars("<h1>Just some HTML</h1>", ENT_QUOTES | ENT_DISALLOWED | ENT_HTML5, 'UTF-8'); ?>
This would replace single quotes with ' wheres it would otherwise use numerical ' entity for other document types.
- Special characters in HTML – more on special characters