HTML - PHP - htmlspecialchars vs htmlentities in PHP 4, PHP 5 and PHP 7 - Learn in 30 Sec from Microsoft Awarded MVP

htmlentities(PHP 4, PHP 5, PHP 7)

htmlentities — Convert all applicable characters to HTML entities

Description :

[pastacode lang=”markup” manual=”string%20htmlentities%20(%20string%20%24string%20%5B%2C%20int%20%24flags%20%3D%20ENT_COMPAT%20%7C%20ENT_HTML401%20%5B%2C%20string%20%24encoding%20%3D%20ini_get(%22default_charset%22)%20%5B%2C%20bool%20%24double_encode%20%3D%20true%20%5D%5D%5D%20)%0A” message=”Html Code” highlight=”” provider=”manual”/] [ad type=”banner”] This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

If you want to decode instead (the reverse) you can use html_entity_decode()
[ http://us2.php.net/manual/en/function.html-entity-decode.php ].

Example #1

A htmlentities() example :

[pastacode lang=”php” manual=”%3C%3Fphp%0A%24str%20%3D%20%22A%20’quote’%20is%20%3Cb%3Ebold%3C%2Fb%3E%22%3B%0A%0A%2F%2F%20Outputs%3A%20A%20’quote’%20is%20%26lt%3Bb%26gt%3Bbold%26lt%3B%2Fb%26gt%3B%0Aecho%20htmlentities(%24str)%3B%0A%0A%2F%2F%20Outputs%3A%20A%20%26%23039%3Bquote%26%23039%3B%20is%20%26lt%3Bb%26gt%3Bbold%26lt%3B%2Fb%26gt%3B%0Aecho%20htmlentities(%24str%2C%20ENT_QUOTES)%3B%0A%3F%3E%0A” message=”Php Code” highlight=”” provider=”manual”/]

Example #2

Usage of ENT_IGNORE :

[pastacode lang=”php” manual=”%3C%3Fphp%0A%24str%20%3D%20%22%5Cx8F!!!%22%3B%0A%0A%2F%2F%20Outputs%20an%20empty%20string%0Aecho%20htmlentities(%24str%2C%20ENT_QUOTES%2C%20%22UTF-8%22)%3B%0A%0A%2F%2F%20Outputs%20%22!!!%22%0Aecho%20htmlentities(%24str%2C%20ENT_QUOTES%20%7C%20ENT_IGNORE%2C%20%22UTF-8%22)%3B%0A%3F%3E%0A” message=”Php Code” highlight=”” provider=”manual”/] [ad type=”banner”]

htmlspecialchars(PHP 4, PHP 5, PHP 7)

htmlspecialchars — Convert special characters to HTML entities

Description :

[pastacode lang=”markup” manual=”string%20htmlspecialchars%20(%20string%20%24string%20%5B%2C%20int%20%24flags%20%3D%20ENT_COMPAT%20%7C%20ENT_HTML401%20%5B%2C%20string%20%24encoding%20%3D%20ini_get(%22default_charset%22)%20%5B%2C%20bool%20%24double_encode%20%3D%20true%20%5D%5D%5D%20)%0A” message=”Html Code” highlight=”” provider=”manual”/]

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings.

This function returns a string with these conversions made. If you require all input substrings that have associated named entities to be translated, use htmlentities() instead.

If the input string passed to this function and the final document share the same character set, this function is sufficient to prepare input for inclusion in most contexts of an HTML document.

If, however, the input can represent characters that are not coded in the final document character set and you wish to retain those characters (as numeric or named entities), both this function and htmlentities() (which only encodes substrings that have named entity equivalents) may be insufficient. You may have to use mb_encode_numericentity() instead.

Example #1

htmlspecialchars() example:

[pastacode lang=”php” manual=”%3C%3Fphp%0A%24new%20%3D%20htmlspecialchars(%22%3Ca%20href%3D’test’%3ETest%3C%2Fa%3E%22%2C%20ENT_QUOTES)%3B%0Aecho%20%24new%3B%20%2F%2F%20%26lt%3Ba%20href%3D%26%23039%3Btest%26%23039%3B%26gt%3BTest%26lt%3B%2Fa%26gt%3B%0A%3F%3E%0A” message=”Php Code” highlight=”” provider=”manual”/]

htmlspecialchars vs htmlentities

When there is no need to encode all characters which have their HTML equivalents.

If you know that the page encoding match the text special symbols, why would you use htmlentities? htmlspecialchars is much straightforward, and produce less code to send to the client.

For example:

[pastacode lang=”markup” manual=”echo%20htmlentities(‘%3CIl%20%C3%A9tait%20une%20fois%20un%20%C3%AAtre%3E.’)%3B%0A%2F%2F%20Output%3A%20%26lt%3BIl%20%26eacute%3Btait%20une%20fois%20un%20%26ecirc%3Btre%26gt%3B.%0A%2F%2F%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5E%5E%5E%5E%5E%5E%5E%5E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5E%5E%5E%5E%5E%5E%5E%0A%0Aecho%20htmlspecialchars(‘%3CIl%20%C3%A9tait%20une%20fois%20un%20%C3%AAtre%3E.’)%3B%0A%2F%2F%20Output%3A%20%26lt%3BIl%20%C3%A9tait%20une%20fois%20un%20%C3%AAtre%26gt%3B.%0A%2F%2F%20%0A” message=”Html Code” highlight=”” provider=”manual”/]

The second one is shorter, and does not cause any problems if ISO-8859-1 charset is set

When the data will be processed not only through a browser (to avoid decoding HTML entities),

If the output is XML

Sometimes you’re writing XML data, and you can’t use HTML entities in a XML file.
Because htmlentities substitutes more characters than htmlspecialchars. This is unnecessary, makes the PHP script less efficient and the resulting HTML code less readable.
htmlentities is only necessary if your pages use encodings such as ASCII or LATIN-1 instead of UTF-8 and you’re handling data with an encoding different from the page’s.

This is being encoded with htmlentities.

[pastacode lang=”markup” manual=”implode(%20array_values(%20get_html_translation_table(%20HTML_ENTITIES%20)%20)%2C%20%22%5Ct%22%20)%3A%0A” message=”Html Code” highlight=”” provider=”manual”/] [ad type=”banner”] [pastacode lang=”markup” manual=”%22%20%26%20%3C%20%3E%0B%C2%A1%20%C2%A2%20%C2%A3%20%C2%A4%20%C2%A5%20%C2%A6%20%C2%A7%20%C2%A8%20%C2%A9%20%C2%AA%20%C2%AB%20%C2%AC%20%C2%AD%20%C2%AE%20%C2%AF%20%C2%B0%20%C2%B1%20%C2%B2%20%C2%B3%20%C2%B4%20%C2%B5%20%C2%B6%20%C2%B7%20%C2%B8%20%C2%B9%20%C2%BA%20%C2%BB%20%C2%BC%20%C2%BD%20%C2%BE%20%C2%BF%20%C3%80%20%C3%81%20%C3%82%20%C3%83%20%C3%84%20%C3%85%20%C3%86%20%C3%87%20%C3%88%20%C3%89%20%C3%8A%20%C3%8B%20%C3%8C%20%C3%8D%20%C3%8E%20%C3%8F%20%C3%90%20%C3%91%20%C3%92%20%C3%93%20%C3%94%20%C3%95%20%C3%96%20%C3%97%20%C3%98%20%C3%99%20%C3%9A%20%C3%9B%20%C3%9C%20%C3%9D%20%C3%9E%20%C3%9F%20%C3%A0%20%C3%A1%20%C3%A2%20%C3%A3%20%C3%A4%20%C3%A5%20%C3%A6%20%C3%A7%20%C3%A8%20%C3%A9%20%C3%AA%20%C3%AB%20%C3%AC%20%C3%AD%20%C3%AE%20%C3%AF%20%C3%B0%20%C3%B1%20%C3%B2%20%C3%B3%20%C3%B4%20%C3%B5%20%C3%B6%20%C3%B7%20%C3%B8%20%C3%B9%20%C3%BA%20%C3%BB%20%C3%BC%20%C3%BD%20%C3%BE%20%C3%BF%20%C5%92%20%C5%93%20%C5%A0%20%C5%A1%20%C5%B8%20%C6%92%20%CB%86%20%CB%9C%20%CE%91%20%CE%92%20%CE%93%20%CE%94%20%CE%95%20%CE%96%20%CE%97%20%CE%98%20%CE%99%20%CE%9A%20%CE%9B%20%CE%9C%20%CE%9D%20%CE%9E%20%CE%9F%20%CE%A0%20%CE%A1%20%CE%A3%20%CE%A4%20%CE%A5%20%CE%A6%20%CE%A7%20%CE%A8%20%CE%A9%20%CE%B1%20%CE%B2%20%CE%B3%20%CE%B4%20%CE%B5%20%CE%B6%20%CE%B7%20%CE%B8%20%CE%B9%20%CE%BA%20%CE%BB%20%CE%BC%20%CE%BD%20%CE%BE%20%CE%BF%20%CF%80%20%CF%81%20%CF%82%20%CF%83%20%CF%84%20%CF%85%20%CF%86%20%CF%87%20%CF%88%20%CF%89%20%CF%91%20%CF%92%20%CF%96%20%E2%80%82%20%E2%80%83%20%E2%80%89%20%E2%80%8C%20%E2%80%8D%20%E2%80%8E%20%E2%80%8F%20%E2%80%93%20%E2%80%94%20%E2%80%98%20%E2%80%99%20%E2%80%9A%20%E2%80%9C%20%E2%80%9D%20%E2%80%9E%20%E2%80%A0%20%E2%80%A1%20%E2%80%A2%20%E2%80%A6%20%E2%80%B0%20%E2%80%B2%20%E2%80%B3%20%E2%80%B9%20%E2%80%BA%20%E2%80%BE%20%E2%81%84%20%E2%82%AC%20%E2%84%91%20%E2%84%98%20%E2%84%9C%20%E2%84%A2%20%E2%84%B5%20%E2%86%90%20%E2%86%91%20%E2%86%92%20%E2%86%93%20%E2%86%94%20%E2%86%B5%20%E2%87%90%20%E2%87%91%20%E2%87%92%20%E2%87%93%20%E2%87%94%20%E2%88%80%20%E2%88%82%20%E2%88%83%20%E2%88%85%20%E2%88%87%20%E2%88%88%20%E2%88%89%20%E2%88%8B%20%E2%88%8F%20%E2%88%91%20%E2%88%92%20%E2%88%97%20%E2%88%9A%20%E2%88%9D%20%E2%88%9E%20%E2%88%A0%20%E2%88%A7%20%E2%88%A8%20%E2%88%A9%20%E2%88%AA%20%E2%88%AB%20%E2%88%B4%20%E2%88%BC%20%E2%89%85%20%E2%89%88%20%E2%89%A0%20%E2%89%A1%20%E2%89%A4%20%E2%89%A5%20%E2%8A%82%20%E2%8A%83%20%E2%8A%84%20%E2%8A%86%20%E2%8A%87%20%E2%8A%95%20%E2%8A%97%20%E2%8A%A5%20%E2%8B%85%20%E2%8C%88%20%E2%8C%89%20%E2%8C%8A%20%E2%8C%8B%20%E2%9F%A8%20%E2%9F%A9%20%E2%97%8A%20%E2%99%A0%20%E2%99%A3%20%E2%99%A5%20%E2%99%A6%0A” message=”Html Code” highlight=”” provider=”manual”/]

This is being encoded with htmlspecialchars.

[pastacode lang=”markup” manual=”implode(%20array_values(%20get_html_translation_table(%20HTML_SPECIALCHARS%20)%20)%2C%20%22%5Ct%22%20)%3A%0A” message=”Html Code” highlight=”” provider=”manual”/] [pastacode lang=”markup” manual=”%22%20%26%20%3C%20%3E%0A” message=”Html Code” highlight=”” provider=”manual”/]

You should use htmlspecialchars($strText, ENT_QUOTES) when you just want your string to be XML and HTML safe:

For example, encode

& to &
” to "
< to <
> to >
‘ to '

However, if you also have additional characters that are Unicode or uncommon symbols in your text then you should use htmlentities() to ensure they show up properly in your HTML page.

Notes:

‘ will only be encoded by htmlspecialchars() to ' if the ENT_QUOTES option is passed in. ' is safer to use then ' since older versions of Internet Explorer do not support the ' entity.
Technically, > does not need to be encoded as per the XML specification, but it is usually encoded too for consistency with the requirement of < being encoded.

Categorized in:

HTML PHP

Tagged in:

Correct use of htmlspecialchars() or htmlentities(), How to prevent XSS with HTML/PHP, htmlentities decode, htmlspecialchars javascript, htmlspecialchars not working, htmlspecialchars online, htmlspecialchars php, htmlspecialchars xss, htmlspecialchars_decode, htmlspecialchars() x htmlentities(), php convert special characters to html entities, Why use htmlspecialchars() when you have htmlentities()?

htmlspecialchars vs htmlentities in PHP 4, PHP 5 and PHP 7

htmlentities(PHP 4, PHP 5, PHP 7)

Description :

Wikitechy Editor

One Comment

Leave a Reply

Other Stories

How to apply CSS to iframe

[Solved- 8 Answers] PhpMyadmin not working

Press ESC to close

Or check our Popular Categories...

htmlentities(PHP 4, PHP 5, PHP 7)

Description :

One Comment

Leave a Reply

Related Articles

Other Stories

How to apply CSS to iframe

[Solved- 8 Answers] PhpMyadmin not working