PHP htmlspecialchars() function

PHP String Functions

Example

Convert predefined characters "<" (less than) and ">" (greater than) to HTML entities:

<?php
$str = "This is some <b>bold</b> text.";
echo htmlspecialchars($str);
?>

The HTML output of the above code is as follows (view source code):

<!DOCTYPE html>
<html>
<body>
This is some <b>bold</b> text.
</body>
</html>

Browser Output of the Above Code:

This is some <b>bold</b> text.

Run Instance

Definition and Usage

The htmlspecialchars() function converts predefined characters to HTML entities.

The predefined characters are:

  • & (ampersand) becomes &
  • " (double quote) becomes "
  • ' (single quote) becomes '
  • < (less than) becomes <
  • > (greater than) becomes >

Tip:To convert special HTML entities back to characters, use htmlspecialchars_decode() Function.

Syntax

htmlspecialchars(string,flags,character-set,double_encode)
Parameter Description
string Required. Specifies the string to be converted.
flags

Optional. Specifies how to handle quotes, invalid encoding, and which document type to use.

Available quote types:

  • ENT_COMPAT - Default. Encode double quotes only.
  • ENT_QUOTES - Encode both double and single quotes.
  • ENT_NOQUOTES - Do not encode any quotes.

Invalid encoding:

  • ENT_IGNORE - Ignore invalid encoding instead of returning an empty string from the function. It should be avoided as it may have security implications.
  • ENT_SUBSTITUTE - Replace invalid encoding with a specified character that has a Unicode replacement character U+FFFD (UTF-8) or &#FFFD;, rather than returning an empty string.
  • ENT_DISALLOWED - Replace invalid code points in the specified document type with the Unicode replacement character U+FFFD (UTF-8) or &#FFFD;.

Additional flags for specifying the document type used:

  • ENT_HTML401 - Default. Processed as HTML 4.01.
  • ENT_HTML5 - Processed as HTML 5.
  • ENT_XML1 - Processed as XML 1.
  • ENT_XHTML - Processed as XHTML.
character-set

Optional. A string that specifies the character set to use.

Allowed values:

  • UTF-8 - Default. ASCII-compatible multi-byte 8-bit Unicode
  • ISO-8859-1 - Western European
  • ISO-8859-15 - Western European (including the euro symbol + the French and Finnish letters missing in ISO-8859-1)
  • cp866 - DOS-specific Cyrillic character set
  • cp1251 - Windows-specific Cyrillic character set
  • cp1252 - Windows-specific Western European character set
  • KOI8-R - Russian
  • BIG5 - Traditional Chinese, mainly used in Taiwan
  • GB2312 - Simplified Chinese, national standard character set
  • BIG5-HKSCS - Big5 with Hong Kong extension
  • Shift_JIS - Japanese
  • EUC-JP - Japanese
  • MacRoman - Character set used by the Mac operating system

Note:In versions of PHP before 5.4, unrecognized character sets will be ignored and replaced by ISO-8859-1. Starting from PHP 5.4, unrecognized character sets will be ignored and replaced by UTF-8.
double_encode

Optional. A boolean value that specifies whether to encode existing HTML entities.

  • TRUE - Default. Converts each entity by default.
  • FALSE - Will not encode existing HTML entities.

Technical details

Return value:

Returns the converted string.

If string If the string contains invalid encoding, an empty string will be returned unless ENT_IGNORE or ENT_SUBSTITUTE flags are set.
PHP version: 4+
Update log:

In PHP 5,character-set The default value of the parameter was changed to UTF-8.

In PHP 5.4, the following were added: ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_HTML5, ENT_XML1, and ENT_XHTML.

In PHP 5.3, ENT_IGNORE was added.

In PHP 5.2.3, a new feature was added: double_encode Parameters.

In PHP 4.1, a new feature was added: character-set Parameters.

More Examples

Example 1

Convert some predefined characters to HTML entities:

<?php
$str = "Bill & 'Steve'";
echo htmlspecialchars($str, ENT_COMPAT); // Only convert double quotes
echo "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // Convert double quotes and single quotes
echo "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // Do not convert any quotes
?>

The HTML output of the above code is as follows (view source code):

<!DOCTYPE html>
<html>
<body>
Bill & 'Steve'<br>
Bill & 'Steve'<br>
Bill & 'Steve'
</body>
</html>

Browser Output of the Above Code:

Bill & 'Steve'
Bill & 'Steve'
Bill & 'Steve'

Run Instance

Example 2

Convert double quotes to HTML entities:

<?php
$str = 'I love "PHP".';
echo htmlspecialchars($str, ENT_QUOTES); // Convert double quotes and single quotes
?>

The HTML output of the above code is as follows (view source code):

<!DOCTYPE html>
<html>
<body>
I love "PHP"
</body>
</html>

Browser Output of the Above Code:

I love "PHP".

Run Instance

PHP String Functions