(PHP 4, PHP 5)
htmlspecialchars — Convert special characters to HTML entities
$flags= ENT_COMPAT | ENT_HTML401 [, string
$encoding= 'UTF-8' [, bool
$double_encode= true ]]] )
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead.
This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or guest book application.
The translations performed are:
- '&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when
ENT_NOQUOTESis not set.
"'" (single quote) becomes ''' only when
- '<' (less than) becomes '<'
- '>' (greater than) becomes '>'
The string being converted.
A bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type. The default is ENT_COMPAT | ENT_HTML401.
Constant Name Description
Will convert double-quotes and leave single-quotes alone.
Will convert both double and single quotes.
Will leave both double and single quotes unconverted.
Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of returning an empty string.
Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
Handle code as HTML 4.01.
Handle code as XML 1.
Handle code as XHTML.
Handle code as HTML 5.
Defines encoding used in conversion. If omitted, the default value for this argument is ISO-8859-1 in versions of PHP prior to 5.4.0, and UTF-8 from PHP 5.4.0 onwards.
For the purposes of this function, the encodings ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252, and KOI8-R are effectively equivalent, provided the
stringitself is valid for the encoding, as the characters affected by htmlspecialchars() occupy the same positions in all of these encodings.
The following character sets are supported:
Supported charsets Charset Aliases Description ISO-8859-1 ISO8859-1 Western European, Latin-1. ISO-8859-5 ISO8859-5 Little used cyrillic charset (Latin/Cyrillic). ISO-8859-15 ISO8859-15 Western European, Latin-9. Adds the Euro sign, French and Finnish letters missing in Latin-1 (ISO-8859-1). UTF-8 ASCII compatible multi-byte 8-bit Unicode. cp866 ibm866, 866 DOS-specific Cyrillic charset. cp1251 Windows-1251, win-1251, 1251 Windows-specific Cyrillic charset. cp1252 Windows-1252, 1252 Windows specific charset for Western European. KOI8-R koi8-ru, koi8r Russian. BIG5 950 Traditional Chinese, mainly used in Taiwan. GB2312 936 Simplified Chinese, national standard character set. BIG5-HKSCS Big5 with Hong Kong extensions, Traditional Chinese. Shift_JIS SJIS, SJIS-win, cp932, 932 Japanese EUC-JP EUCJP, eucJP-win Japanese MacRoman Charset that was used by Mac OS. '' An empty string activates detection from script encoding (Zend multibyte), default_charset and current locale (see nl_langinfo() and setlocale()), in this order. Not recommended.
Note: Any other character sets are not recognized. The default encoding will be used instead and a warning will be emitted.
double_encodeis turned off PHP will not encode existing html entities, the default is to convert everything.
The converted string.
If the input
string contains an invalid code unit
sequence within the given
encoding an empty string
will be returned, unless either the
ENT_SUBSTITUTE flags are set.
The default value for the
Example #1 htmlspecialchars() example
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
Note that this function does not translate anything beyond what is listed above. For full entity translation, see htmlentities().
- get_html_translation_table() - Returns the translation table used by htmlspecialchars and htmlentities
- htmlspecialchars_decode() - Convert special HTML entities back to characters
- strip_tags() - Strip HTML and PHP tags from a string
- htmlentities() - Convert all applicable characters to HTML entities
- nl2br() - Inserts HTML line breaks before all newlines in a string