HomeMenu
Jesus · Bible · HTML · CSS · JS · PHP · SVG · Applications

htmlspecialchars

Description

The htmlspecialchars of String for PHP convert special characters to HTML entities.

Syntax

htmlspecialchars(
    string $string,
    int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401,
    ?string $encoding = null,
    bool $double_encode = true
): string

Parameters

string

The string being converted.

CharacterReplacement
& (ampersand)&
" (double quote)", unless ENT_NOQUOTES is set
' (single quote)' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set
< (less than)&lt;
> (greater than)&gt;

flags

A bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type. The default is ENT_COMPAT | ENT_HTML401.

Constant NameDescription
ENT_COMPATWill convert double-quotes and leave single-quotes alone.
ENT_QUOTESWill convert both double and single quotes.
ENT_NOQUOTESWill leave both double and single quotes unconverted.
ENT_IGNORESilently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it may have security implications.
ENT_SUBSTITUTEReplace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#xFFFD; (otherwise) instead of returning an empty string.
ENT_DISALLOWEDReplace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#xFFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401Handle code as HTML 4.01.
ENT_XML1Handle code as XML 1.
ENT_XHTMLHandle code as XHTML.
ENT_HTML5Handle code as HTML 5.

encoding

An optional argument defining the encoding used when converting characters.

If omitted, encoding defaults to the value of the default_charset configuration option.

Although this argument is technically optional, you are highly encouraged to specify the correct value for your code if the default_charset configuration option may be set incorrectly for the given input.

For the purposes of this function, the encodings ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252, and KOI8-R are effectively equivalent, provided the string itself is valid for the encoding, as the characters affected by htmlspecialchars() occupy the same positions in all of these encodings.

CharsetAliasesDescription
ISO-8859-1ISO8859-1Western European, Latin-1.
ISO-8859-5ISO8859-5Little used cyrillic charset (Latin/Cyrillic).
ISO-8859-15ISO8859-15Western European, Latin-9. Adds the Euro sign, French and Finnish letters missing in Latin-1 (ISO-8859-1).
UTF-8ASCII compatible multi-byte 8-bit Unicode.
cp866ibm866, 866DOS-specific Cyrillic charset.
cp1251Windows-1251, win-1251, 1251Windows-specific Cyrillic charset.
cp1252Windows-1252, 1252Windows specific charset for Western European.
KOI8-Rkoi8-ru, koi8rRussian
BIG5950Traditional Chinese, mainly used in Taiwan.
GB2312936Simplified Chinese, national standard character set.
BIG5-HKSCSBig5 with Hong Kong extensions, Traditional Chinese.
Shift_JISSJIS, SJIS-win, cp932, 932Japanese
EUC-JPEUCJP, eucJP-winJapanese
MacRomanCharset that was used by Mac OS.
''An empty string activates detection from script encoding (Zend multibyte), default_charset and current locale (see nl_langinfo() and setlocale()), in this order. Not recommended.

Note: Any other character sets are not recognized. The default encoding will be used instead and a warning will be emitted.

double_encode

When double_encode is turned off PHP will not encode existing html entities, the default is to convert everything.

Return

The converted string.

If the input string contains an invalid code unit sequence within the given encoding an empty string will be returned, unless either the ENT_IGNORE or ENT_SUBSTITUTE flags are set.

Examples

1 · string

<?

$string = "& | &amp;" . PHP_EOL
. "\" | &quot;" . PHP_EOL
. "' | &#039;" . PHP_EOL
. "< | &lt;" . PHP_EOL
. "> | &gt;" . PHP_EOL
. "über | &uuml;ber" . PHP_EOL
. "<b>bold</b> | &lt;b&gt;bold&lt;/b&gt;";

$return = htmlspecialchars($string);

echo $return;
&amp; | &amp;amp;
&quot; | &amp;quot;
&#039; | &amp;#039;
&lt; | &amp;lt;
&gt; | &amp;gt;
über | &amp;uuml;ber
&lt;b&gt;bold&lt;/b&gt; | &amp;lt;b&amp;gt;bold&amp;lt;/b&amp;gt;

2 · flags

<?

$string = "& | &amp;" . PHP_EOL
. "\" | &quot;" . PHP_EOL
. "' | &#039;" . PHP_EOL
. "< | &lt;" . PHP_EOL
. "> | &gt;" . PHP_EOL
. "über | &uuml;ber" . PHP_EOL
. "<b>bold</b> | &lt;b&gt;bold&lt;/b&gt;";
$flags = ENT_QUOTES;

$return = htmlspecialchars($string, $flags);

echo $return;
&amp; | &amp;amp;
&quot; | &amp;quot;
&#039; | &amp;#039;
&lt; | &amp;lt;
&gt; | &amp;gt;
über | &amp;uuml;ber
&lt;b&gt;bold&lt;/b&gt; | &amp;lt;b&amp;gt;bold&amp;lt;/b&amp;gt;

3 · encoding

<?

$string = "& | &amp;" . PHP_EOL
. "\" | &quot;" . PHP_EOL
. "' | &#039;" . PHP_EOL
. "< | &lt;" . PHP_EOL
. "> | &gt;" . PHP_EOL
. "über | &uuml;ber" . PHP_EOL
. "<b>bold</b> | &lt;b&gt;bold&lt;/b&gt;";
$flags = ENT_QUOTES;
$encoding = "UTF-8";

$return = htmlspecialchars($string, $flags, $encoding);

echo $return;
&amp; | &amp;amp;
&quot; | &amp;quot;
&#039; | &amp;#039;
&lt; | &amp;lt;
&gt; | &amp;gt;
über | &amp;uuml;ber
&lt;b&gt;bold&lt;/b&gt; | &amp;lt;b&amp;gt;bold&amp;lt;/b&amp;gt;

4 · double_encode

<?

$string = "& | &amp;" . PHP_EOL
. "\" | &quot;" . PHP_EOL
. "' | &#039;" . PHP_EOL
. "< | &lt;" . PHP_EOL
. "> | &gt;" . PHP_EOL
. "über | &uuml;ber" . PHP_EOL
. "<b>bold</b> | &lt;b&gt;bold&lt;/b&gt;";
$flags = ENT_QUOTES;
$encoding = "UTF-8";
$double_encode = false;

$return = htmlspecialchars($string, $flags, $encoding, $double_encode);

echo $return;
&amp; | &amp;
&quot; | &quot;
&#039; | &#039;
&lt; | &lt;
&gt; | &gt;
über | &uuml;ber
&lt;b&gt;bold&lt;/b&gt; | &lt;b&gt;bold&lt;/b&gt;