htmlspecialchars() / htmlentities() Since: PHP 4(2000)
Escapes special HTML characters to prevent XSS attacks. Always use this function when displaying user input on screen.
Syntax
// Escapes special HTML characters. htmlspecialchars($string, $flags, $encoding, $double_encode); // Escapes all HTML character entities. htmlentities($string, $flags, $encoding, $double_encode); // Converts HTML character entities back to their original characters. html_entity_decode($string, $flags, $encoding); // Strips HTML tags from a string. strip_tags($string, $allowed_tags);
Function List
| Function | Description |
|---|---|
| htmlspecialchars($string, $flags, $encoding) | Converts the five characters &, ", ', <, and > to their HTML character entities. This is the most fundamental function for XSS prevention. |
| htmlentities($string, $flags, $encoding) | Converts all characters that have defined HTML character entities. The conversion range is broader than htmlspecialchars(). |
| html_entity_decode($string, $flags, $encoding) | The reverse of htmlspecialchars() and htmlentities() — converts HTML character entities back to their original characters. |
| strip_tags($string, $allowed_tags) | Removes HTML tags from a string. You can specify allowed tags in the second argument. |
Return Value
Returns the converted string. The original string is not modified.
Sample Code
<?php
// Basic usage to prevent XSS attacks.
$user_input = '<script>alert("XSS")</script>';
echo htmlspecialchars($user_input, ENT_QUOTES, "UTF-8"); // The tags are escaped and displayed safely.
// The five characters that get converted.
$str = '& " \' < >';
echo htmlspecialchars($str, ENT_QUOTES, "UTF-8"); // Outputs: & " ' < >
// Example of safely displaying form input.
$name = '<b>John Doe</b>';
echo '<p>' . htmlspecialchars($name, ENT_QUOTES, "UTF-8") . '</p>'; // Outputs safe HTML with tags neutralized.
// htmlentities() converts a wider range of characters.
echo htmlentities("© 2026", ENT_QUOTES, "UTF-8"); // The copyright symbol is also converted to a character entity.
// Use html_entity_decode() to reverse the conversion.
$encoded = "<p>Test</p>";
echo html_entity_decode($encoded, ENT_QUOTES, "UTF-8"); // Outputs: <p>Test</p>
// Use strip_tags() to remove HTML tags.
$html = "<p>This is a <b>bold</b> <a href='#'>link</a>.</p>";
echo strip_tags($html); // Outputs: This is a bold link.
// Specify allowed tags in the second argument.
echo strip_tags($html, "<b><p>"); // Outputs: <p>This is a <b>bold</b> link.</p>
// Why the ENT_QUOTES flag matters.
$value = '" onmouseover="alert(1)';
echo '<input value="' . htmlspecialchars($value, ENT_QUOTES, "UTF-8") . '">'; // Double quotes are also escaped.
Notes
htmlspecialchars() is the fundamental function for XSS prevention. Always use it when outputting user input to HTML. Always pass ENT_QUOTES as the second argument. Omitting it leaves single quotes unescaped, which can allow XSS attacks inside HTML attribute values. It is also recommended to explicitly specify "UTF-8" as the third argument.
htmlentities() converts a wider range of characters than htmlspecialchars(), but htmlspecialchars() is sufficient for typical XSS prevention. html_entity_decode() performs the reverse conversion and is useful when you need to restore previously escaped data stored in a database.
strip_tags() removes HTML tags entirely and is convenient when you need plain text. However, it is not a complete XSS countermeasure, so use htmlspecialchars() when outputting to the screen. For URL encoding, use urlencode().
If you find any errors or copyright issues, please contact us.
シェアする