htmlspecialchars
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. If you require all input substrings that have associated named entities to be translated, use htmlentities() instead.
If the input string passed to this function and the final document share the same character set, this function is sufficient to prepare input for inclusion in most contexts of an HTML document. If, however, the input can represent characters that are not coded in the final document character set and you wish to retain those characters (as numeric or named entities), both this function and htmlentities() (which only encodes substrings that have named entity equivalents) may be insufficient. You may have to use mb_encode_numericentity() instead.
| Character | Replacement |
|---|---|
| & (ampersand) | & |
| » (double quote) | " , unless ENT_NOQUOTES is set |
| ‘ (single quote) | ' (for ENT_HTML401 ) or ' (for ENT_XML1 , ENT_XHTML or ENT_HTML5 ), but only when ENT_QUOTES is set |
| < (less than) | < |
| > (greater than) | > |
Parameters
The string being converted.
A bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type. The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401 .
| Constant Name | Description |
|---|---|
| ENT_COMPAT | Will convert double-quotes and leave single-quotes alone. |
| ENT_QUOTES | Will convert both double and single quotes. |
| ENT_NOQUOTES | Will leave both double and single quotes unconverted. |
| ENT_IGNORE | Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications. |
| ENT_SUBSTITUTE | Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or � (otherwise) instead of returning an empty string. |
| ENT_DISALLOWED | Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or � (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content. |
| ENT_HTML401 | Handle code as HTML 4.01. |
| ENT_XML1 | Handle code as XML 1. |
| ENT_XHTML | Handle code as XHTML. |
| ENT_HTML5 | Handle code as HTML 5. |
An optional argument defining the encoding used when converting characters.
If omitted, encoding defaults to the value of the default_charset configuration option.
Although this argument is technically optional, you are highly encouraged to specify the correct value for your code if the default_charset configuration option may be set incorrectly for the given input.
For the purposes of this function, the encodings ISO-8859-1 , ISO-8859-15 , UTF-8 , cp866 , cp1251 , cp1252 , and KOI8-R are effectively equivalent, provided the string itself is valid for the encoding, as the characters affected by htmlspecialchars() occupy the same positions in all of these encodings.
The following character sets are supported:
| Charset | Aliases | Description |
|---|---|---|
| ISO-8859-1 | ISO8859-1 | Western European, Latin-1. |
| ISO-8859-5 | ISO8859-5 | Little used cyrillic charset (Latin/Cyrillic). |
| ISO-8859-15 | ISO8859-15 | Western European, Latin-9. Adds the Euro sign, French and Finnish letters missing in Latin-1 (ISO-8859-1). |
| UTF-8 | ASCII compatible multi-byte 8-bit Unicode. | |
| cp866 | ibm866, 866 | DOS-specific Cyrillic charset. |
| cp1251 | Windows-1251, win-1251, 1251 | Windows-specific Cyrillic charset. |
| cp1252 | Windows-1252, 1252 | Windows specific charset for Western European. |
| KOI8-R | koi8-ru, koi8r | Russian. |
| BIG5 | 950 | Traditional Chinese, mainly used in Taiwan. |
| GB2312 | 936 | Simplified Chinese, national standard character set. |
| BIG5-HKSCS | Big5 with Hong Kong extensions, Traditional Chinese. | |
| Shift_JIS | SJIS, SJIS-win, cp932, 932 | Japanese |
| EUC-JP | EUCJP, eucJP-win | Japanese |
| MacRoman | Charset that was used by Mac OS. | |
| » | An empty string activates detection from script encoding (Zend multibyte), default_charset and current locale (see nl_langinfo() and setlocale() ), in this order. Not recommended. |
Note: Any other character sets are not recognized. The default encoding will be used instead and a warning will be emitted.
When double_encode is turned off PHP will not encode existing html entities, the default is to convert everything.
Return Values
If the input string contains an invalid code unit sequence within the given encoding an empty string will be returned, unless either the ENT_IGNORE or ENT_SUBSTITUTE flags are set.
Changelog
| Version | Description |
|---|---|
| 8.1.0 | flags changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401 . |
Examples
Example #1 htmlspecialchars() example
Notes
Note:
Note that this function does not translate anything beyond what is listed above. For full entity translation, see htmlentities() .
- When neither of ENT_COMPAT , ENT_QUOTES , ENT_NOQUOTES is present, the default is ENT_NOQUOTES .
- When more than one of ENT_COMPAT , ENT_QUOTES , ENT_NOQUOTES is present, ENT_QUOTES takes the highest precedence, followed by ENT_COMPAT .
- When neither of ENT_HTML401 , ENT_HTML5 , ENT_XHTML , ENT_XML1 is present, the default is ENT_HTML401 .
- When more than one of ENT_HTML401 , ENT_HTML5 , ENT_XHTML , ENT_XML1 is present, ENT_HTML5 takes the highest precedence, followed by ENT_XHTML , ENT_XML1 and ENT_HTML401 .
- When more than one of ENT_DISALLOWED , ENT_IGNORE , ENT_SUBSTITUTE are present, ENT_IGNORE takes the highest precedence, followed by ENT_SUBSTITUTE .
See Also
- get_html_translation_table() — Returns the translation table used by htmlspecialchars and htmlentities
- htmlspecialchars_decode() — Convert special HTML entities back to characters
- strip_tags() — Strip HTML and PHP tags from a string
- htmlentities() — Convert all applicable characters to HTML entities
- nl2br() — Inserts HTML line breaks before all newlines in a string
User Contributed Notes 21 notes
As of PHP 5.4 they changed default encoding from «ISO-8859-1» to «UTF-8». So if you get null from htmlspecialchars or htmlentities
where you have only set
echo htmlspecialchars ( $string );
echo htmlentities ( $string );
?>
you can fix it by
echo htmlspecialchars ( $string , ENT_COMPAT , ‘ISO-8859-1’ , true );
echo htmlentities ( $string , ENT_COMPAT , ‘ISO-8859-1’ , true );
?>
On linux you can find the scripts you need to fix by
grep -Rl «htmlspecialchars\\|htmlentities» /path/to/php/scripts/
Unfortunately, as far as I can tell, the PHP devs did not provide ANY way to set the default encoding used by htmlspecialchars() or htmlentities(), even though they changed the default encoding in PHP 5.4 (*golf clap for PHP devs*). To save someone the time of trying it, this does not work:
ini_set ( ‘default_charset’ , $charset ); // doesn’t work.
?>
Unfortunately, the only way to not have to explicitly provide the second and third parameter every single time this function is called (which gets extremely tedious) is to write your own function as a wrapper:
define ( ‘CHARSET’ , ‘ISO-8859-1’ );
define ( ‘REPLACE_FLAGS’ , ENT_COMPAT | ENT_XHTML );
function html ( $string ) return htmlspecialchars ( $string , REPLACE_FLAGS , CHARSET );
>
echo html ( «ñ» ); // works
?>
You can do the same for htmlentities()
Because the documentation says
int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
you would think that ENT_HTML401 is important. But as the notes mention, ENT_HTML401 is the default if you don’t specify the doc type. This is because ENT_HTML401 === 0. So
int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
int $flags = ENT_QUOTES | ENT_SUBSTITUTE
if your goal is just to protect your page from Cross Site Scripting (XSS) attack, or just to show HTML tags on a web page (showing
on the page, for example), then using htmlspecialchars() is good enough and better than using htmlentities(). A minor point is htmlspecialchars() is faster than htmlentities(). A more important point is, when we use htmlspecialchars($s) in our code, it is automatically compatible with UTF-8 string. Otherwise, if we use htmlentities($s), and there happens to be foreign characters in the string $s in UTF-8 encoding, then htmlentities() is going to mess it up, as it modifies the byte 0x80 to 0xFF in the string to entities like é. (unless you specifically provide a second argument and a third argument to htmlentities(), with the third argument being «UTF-8»).The reason htmlspecialchars($s) already works with UTF-8 string is that, it changes bytes that are in the range 0x00 to 0x7F to < etc, while leaving bytes in the range 0x80 to 0xFF unchanged. We may wonder whether htmlspecialchars() may accidentally change any byte in a 2 to 4 byte UTF-8 character to < etc. The answer is, it won’t. When a UTF-8 character is 2 to 4 bytes long, all the bytes in this character is in the 0x80 to 0xFF range. None can be in the 0x00 to 0x7F range. When a UTF-8 character is 1 byte long, it is just the same as ASCII, which is 7 bit, from 0x00 to 0x7F. As a result, when a UTF-8 character is 1 byte long, htmlspecialchars($s) will do its job, and when the UTF-8 character is 2 to 4 bytes long, htmlspecialchars($s) will just pass those bytes unchanged. So htmlspecialchars($s) will do the same job no matter whether $s is in ASCII, ISO-8859-1 (Latin-1), or UTF-8.
i searched for a while for a script, that could see the difference between an html tag and just < and >placed in the text,
the reason is that i recieve text from a database,
wich is inserted by an html form, and contains text and html tags,
the text can contain < and >, so does the tags,
with htmlspecialchars you can validate your text to XHTML,
but you’ll also change the tags, like to <b>,
so i needed a script that could see the difference between those two.
but i couldn’t find one so i made my own one,
i havent fully tested it, but the parts i tested worked perfect!
just for people that were searching for something like this,
it may looks big, could be done easier, but it works for me, so im happy.
function fixtags ( $text ) $text = htmlspecialchars ( $text );
$text = preg_replace ( «/=/» , «=\»\»» , $text );
$text = preg_replace ( «/"/» , «"\»» , $text );
$tags = «/<(\/|)(\w*)(\ |)(\w*)([\\\=]*)(?|(\»)\»"\»|)(?|(.*)?"(\»)|)([\ ]?)(\/|)>/i» ;
$replacement = «» ;
$text = preg_replace ( $tags , $replacement , $text );
$text = preg_replace ( «/=\»\»/» , » keyword»>, $text );
return $text ;
>
?>
an example:
How to Use HTML Inside PHP on the Same Page
Here in this file as you can see that PHP code is being put inside html tags namely HTML tag and BODY tag and php code is written inside PHP delimiters (lines 4 and 7) $name=”your name”; is a variable that stores the string inside ” ” and here string stores in variable name is Your name $ is used to declare a variable in PHP. Right now this is the only thing I know about variables and how to declare them in PHP. I am planning to read more about it later and then I’ll record what I understand through the blog post. print $name; Here I have used Print to show the value stored in the variable $name .
print is not actually a real function (it is a language construct) so you are not required to use parentheses with its argument list.
There is more to this function I suppose and will study it in detail. I could also have used echo to obtain the same thing. In line 10 see that I have put PHP code inside the bold html tag ( ) which resulted in bold faced “your name” string. So this way you can put your PHP scripts inside any HTML tags. There are other alternative PHP delimiters you can use to tell server to distinguish between your php script and other webpage elements.
Although these alternative PHP delimiters can be used but I have read that these forms should be avoided and you in practice should use following PHP delimiter as used firstly inside HTML file
Html code inside PHP tags and using echo or print to show those HTML elements
We can use html tags inside PHP also as given below
" echo "" $name="your name"; print $name; echo "
" echo "" print $name; echo "" echo "" echo "