Guide - How to use htmlspecialchars() function in PHP To begin you have to understand 1 simple concept: Render. What Render is? Render is when the HTML transforms <b>Hello</b>
to bold like this Hello. That's render. So...When to use the htmlspecialchars() function? Wherever you want to render HTML contents. For example, if you are using JQuery and you do this: $("#YourDiv").html("<b>Hello</b>");
The div
contents will be Hello. It rendered the text into HTML. If you want to display the message in this way (was wrote by user): <b>Hello</b>
you have to put: $("#YourDiv").text("<b>Hello</b>");
In that way the Hello will never be rendered. If you want to load the message (as wrote by user) into a textbox, textarea, etc... You have to put: <input type="text" class="Texbox1" value="">
<script>
$(".Textbox1").val("<b>Hello</b>");
</script>
That will display <b>Hello</b>
Inside the Textbox without problems. Conclusion: What ever data the user input into
your forms, etc...Save the data as normally. Do not use any function. If user sent 12345 save as it is. Do not filter nothing. You only have to filter when you are going to display the data in the page to the users. YOU, ONLY YOU decide if you want to render or not what the user wrote. *Remember that. Regards! ❮ PHP String Reference ExampleConvert the predefined characters "<" (less than) and ">" (greater than) to HTML entities: <?php
$str = "This is some <b>bold</b> text.";
echo htmlspecialchars($str);
?> The HTML output of the code above will be (View Source): <!DOCTYPE html>
<html>
<body>
This is some <b>bold</b> text.
</body>
</html> The browser output of the code above will be: This is some <b>bold</b> text. Try it Yourself »
Definition and UsageThe htmlspecialchars() function converts some predefined characters to HTML entities. The
predefined characters are: - & (ampersand) becomes &
- " (double quote) becomes "
- ' (single quote) becomes '
- < (less than) becomes <
- > (greater than) becomes >
Tip: To convert special HTML entities back to characters, use the htmlspecialchars_decode() function.
Syntax
htmlspecialchars(string,flags,character-set,double_encode) Parameter Values
| Parameter | Description |
|---|
| string
| Required. Specifies the string to convert
| | flags
| Optional. Specifies how to handle quotes, invalid encoding and the used document type. The available quote styles are: - ENT_COMPAT - Default. Encodes only double quotes
- ENT_QUOTES - Encodes double and single quotes
- ENT_NOQUOTES - Does not encode any quotes
Invalid encoding: - ENT_IGNORE - Ignores invalid encoding instead of having the function return an empty string. Should be avoided, as it may have security implications.
- ENT_SUBSTITUTE
- Replaces invalid encoding for a specified character set with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; instead of returning an empty string.
- ENT_DISALLOWED - Replaces code points that are invalid in the specified doctype with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD;
Additional flags for specifying the used doctype: - ENT_HTML401 - Default. Handle code as HTML 4.01
- ENT_HTML5 - Handle code as HTML 5
- ENT_XML1 -
Handle code as XML 1
- ENT_XHTML - Handle code as XHTML
| | character-set
| Optional. A string that specifies which character-set to use. Allowed values are: - UTF-8 - Default. ASCII compatible multi-byte 8-bit Unicode
- ISO-8859-1 - Western European
- ISO-8859-15 - Western European (adds the Euro sign + French and Finnish letters missing in ISO-8859-1)
- cp866 - DOS-specific Cyrillic charset
- cp1251 - Windows-specific Cyrillic charset
- cp1252 - Windows specific charset for Western European
- KOI8-R - Russian
- BIG5 - Traditional Chinese, mainly used in Taiwan
- GB2312 - Simplified Chinese, national standard character set
- BIG5-HKSCS - Big5 with Hong Kong extensions
- Shift_JIS - Japanese
- EUC-JP - Japanese
- MacRoman - Character-set that was used by Mac OS
Note: Unrecognized character-sets will be ignored and replaced by ISO-8859-1 in versions prior to PHP 5.4. As of PHP 5.4, it will be ignored an replaced by UTF-8.
| | double_encode
| Optional. A boolean value that specifies whether to encode existing html entities or not. - TRUE - Default. Will convert everything
- FALSE - Will not encode existing html entities
|
Technical Details
| Return Value: | Returns the converted string If the string contains invalid encoding, it will return an empty string, unless either the ENT_IGNORE or ENT_SUBSTITUTE flags are set
|
|---|
| PHP Version: | 4+
|
|---|
| Changelog: | PHP 5.6 - Changed the default value for the character-set parameter to the value of the default charset (in configuration).
PHP 5.4 - Changed the default value for the character-set parameter to UTF-8.
PHP 5.4 - Added ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_HTML5, ENT_XML1 and ENT_XHTML
PHP 5.3 - Added ENT_IGNORE constant.
PHP 5.2.3 - Added the double_encode parameter.
PHP 4.1 - Added the
character-set
parameter.
|
|---|
More ExamplesExampleConvert some predefined characters to HTML entities: <?php
$str = "Jane & 'Tarzan'";
echo htmlspecialchars($str, ENT_COMPAT); // Will only convert double quotes
echo "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // Converts double and single quotes
echo "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // Does not convert any quotes
?> The HTML output of the code
above will be (View Source): <!DOCTYPE html>
<html>
<body>
Jane & 'Tarzan'<br>
Jane & 'Tarzan'<br>
Jane & 'Tarzan'
</body>
</html> The browser output of the code above will be: Jane & 'Tarzan'
Jane & 'Tarzan'
Jane & 'Tarzan' Try it Yourself » ExampleConvert double quotes to HTML entities: <?php
$str = 'I love "PHP".';
echo htmlspecialchars($str, ENT_QUOTES); // Converts double and single quotes
?> The HTML output of the code above will be (View Source): <!DOCTYPE html>
<html>
<body>
I love "PHP".
</body>
</html> The browser output of the code above will be: I love "PHP". Try it Yourself »
❮ PHP String Reference
Why is the Htmlspecialchars () function used?
Description. The htmlspecialchars() function is used to converts special characters ( e.g. & (ampersand), " (double quote), ' (single quote), < (less than), > (greater than)) to HTML entities ( i.e. & (ampersand) becomes &, ' (single quote) becomes ', < (less than) becomes < (greater than) becomes > ).
What does Htmlspecialchars mean in PHP?
The htmlspecialchars() function converts special characters into HTML entities. It is the in-built function of PHP, which converts all pre-defined characters to the HTML entities.
What's the difference between HTML entities () and htmlspecialchars ()?
Difference between htmlentities() and htmlspecialchars() function: The only difference between these function is that htmlspecialchars() function convert the special characters to HTML entities whereas htmlentities() function convert all applicable characters to HTML entities.
Does Htmlspecialchars prevent XSS?
Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.
| 
