htmlspecialchars

(PHP 4, PHP 5, PHP 7)

htmlspecialcharsConvierte caracteres especiales en entidades HTML

Descripción

htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = TRUE ]]] ) : string

Ciertos caracteres tienen un significado especial en HTML y deben ser representados por entidades HTML si se desea preservar su significado. Esta función devuelve un string con estas conversiones realizadas. Si se requiere que todas las subcadenas de entrada tengan asociadas entidades con nombre para que sean traducidas, use htmlentities() en su lugar.

Si el string de entrada pasado a esta función y el documento final comparten el mismo conjunto de carcteres, esta función es suficiente para preparar entradas para su inclusión en la mayoría de los contextos de un documento HTML. Sin embargo, si la entrada puede representar caracteres que no están codificados en el conjunto de caracteres del documento final, y es necesario conservar dichos caracteres (tales como números o entidades con nombre), esta función y htmlentities() (la cual solamente codifica subcadenas que tienen equivalentes de entidades con nombre) podrían ser insuficientes. Se podria usar mb_encode_numericentity() en su lugar.

Traducciones realizadas
Carácter Sustitución
& (et) &
" (comilla doble) " excepto cuando ENT_NOQUOTES está activado
' (single quote) ' (para ENT_HTML401) o ' (para ENT_XML1, ENT_XHTML o ENT_HTML5), pero solamente cuando ENT_QUOTES está activado
< (menor que) &lt;
> (mayor que) &gt;

Parámetros

string

El string a convertir.

flags

Una máscara de bits de una o más de los siguientes indicadores, los cuales especifican cómo manejar las comillas, las secuencias de unidad de código inválidas y el tipo de documento utilizado. El valor predeterminado es ENT_COMPAT | ENT_HTML401.

Constantes disponibles para flags
Nombre de la constante Descripción
ENT_COMPAT Convertirá las comillas dobles y sólo dejará las comillas simples.
ENT_QUOTES Convertirá tanto las comillas dobles como las simples.
ENT_NOQUOTES Dejará tanto las comillas dobles como las simples sin convertir.
ENT_IGNORE Descartar silenciosamente unidades de secuencia de código no válidas en lugar de devolver un string vacío. No se recomienda el uso de este indicador, ya que » puede tener implicaciones de seguridad.
ENT_SUBSTITUTE Reemplazar las secuencias de unidad de código inválidas con un Carácter de Reemplazo Unicode U+FFFD (UTF-8) o &#xFFFD; (no UTF-8) en lugar de devolver un string vacío.
ENT_DISALLOWED Reemplazar los puntos de código no válidos para el tipo de documento dado con un Carácter de Reemplazo Unicode U+FFFD (UTF-8) o &#xFFFD; (no UTF-8) en lugar de dejarlos tal cual. Esto puede ser útil, por ejemplo, para asegurar que los documentos XML estén bien formados con contenido externo incrustado.
ENT_HTML401 Maneja el código como HTML 4.01.
ENT_XML1 Maneja el código como XML 1.
ENT_XHTML Maneja el código como XHTML.
ENT_HTML5 Maneja el código como HTML 5.

encoding

Un argumento opcional que define la codificación empleada al convertir caracteres.

Si se omite, el valor predeterminado de encoding varía según la versión de PHP en uso. En PHP 5.6 y posterior, la opción de configuración default_charset se emplea como valor predeterminado. PHP 5.4 y 5.5 utilizarán UTF-8 como valor predeterminado. Las versiones anteriores de PHP emplean ISO-8859-1.

Aunque este argumento es técnicamente opcional, se recomienda especificar el valor correcto para el código si se utiliza PHP 5.5 o anterior, o si la opción de configuración default_charset podría estar establecida incorrectamente para la entrada dada.

Para el propósito de ésta función, los juegos de caracteres ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252 y KOI8-R son realmente equivalentes, siempre y cuando el string sea válido para la codificación, ya que los caracteres afectados por htmlspecialchars() ocupan las mismas posiciones en todas estas codificaciones.

Están soportados los siguientes juegos de caracteres:

Juegos de caracteres soportados
Juego de caracteres Alias Descripción
ISO-8859-1 ISO8859-1 Europeo occidental, Latin-1.
ISO-8859-5 ISO8859-5 Juego de caracteres cirílicos poco usado (Latin/Cyrillic).
ISO-8859-15 ISO8859-15 Europeo occidental, Latin-9. Añade el signo de euro, y letras del francés y finlandés ausentes en Latin-1 (ISO-8859-1).
UTF-8   Unicode de 8 bit multibyte compatible con ASCII.
cp866 ibm866, 866 Juego de caracteres cirílico específico de DOS.
cp1251 Windows-1251, win-1251, 1251 Juego de caracteres cirílico específico de Windows.
cp1252 Windows-1252, 1252 Juego de caracteres específico de Windows para Europa occidental.
KOI8-R koi8-ru, koi8r Ruso.
BIG5 950 Chino tradicional, usado principalmente en Taiwán.
GB2312 936 Chino simplificado, juego de caracteres estándar nacional.
BIG5-HKSCS   Big5 con extensiones de Hong Kong, chino tradicional.
Shift_JIS SJIS, SJIS-win, cp932, 932 Japonés
EUC-JP EUCJP, eucJP-win Japonés
MacRoman   Juego de caracteres que fue utilizado por Mac OS.
''   Un string vacío activa la detección desde la codificación del script (Zend multibyte), default_charset y la actual configuración regional (véase nl_langinfo() y setlocale()), en este orden. No se recomienda.

Nota: No se reconoce cualquier otro juego de caracteres. Será utilizada en su lugar la codificación por defecto y se emitirá una advertencia.

double_encode

Cuando double_encode se desactiva, PHP no codificará las entidades HTML existentes. El valor predeterminado es convertirlo todo.

Valores devueltos

El string convertido.

Si el string de entrada contiene una secuencia de unidad de código no válida en encoding, devolverá un string vacío, a menos que cualquiera de los indicadores ENT_IGNORE o ENT_SUBSTITUTE estén establecidos.

Historial de cambios

Versión Descripción
5.6.0 El valor predeterminado para el parámetro encoding se cambió para que fuera el valor de la opción de configuración default_charset.
5.4.0 El valor predeterminado del parámetro encoding se cambió a UTF-8.
5.4.0 Se añadieron las constantes ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_XML1, ENT_XHTML y ENT_HTML5.
5.3.0 Se añadió la constante ENT_IGNORE.
5.2.3 Se añadió el parámetro double_encode.

Ejemplos

Ejemplo #1 Ejemplo de htmlspecialchars()

<?php
$nuevo 
htmlspecialchars("<a href='test'>Test</a>"ENT_QUOTES);
echo 
$nuevo// &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
?>

Notas

Nota:

Se ha de tener en cuenta que esta función no traduce nada más de lo que aparece en la lista de arriba. Para la traducción completa de entidades, véase htmlentities().

Nota:

En caso de valores de flags ambiguos, se aplican las siguintes reglas:

  • Cuando no están presentes ENT_COMPAT, ENT_QUOTES ni ENT_NOQUOTES, el valor predeterminado es ENT_NOQUOTES.
  • Cuando están presentes más de una de ENT_COMPAT, ENT_QUOTES o ENT_NOQUOTES, ENT_QUOTES toma la mayor precedencia, seguido de ENT_COMPAT.
  • Cuando no están presentes ENT_HTML401, ENT_HTML5, ENT_XHTML ni ENT_XML1, el valor predeterminado es ENT_HTML401.
  • Cuando están presentes más de una de ENT_HTML401, ENT_HTML5, ENT_XHTML, ENT_XML1 o ENT_HTML5 toma la mayor precedencia, seguido de ENT_XHTML, ENT_XML1 y ENT_HTML401.
  • Cuando están presentes más de una de ENT_DISALLOWED, ENT_IGNORE o ENT_SUBSTITUTE, ENT_IGNORE toma la mayor precedencia, seguido de ENT_SUBSTITUTE.

Ver también

add a note add a note

User Contributed Notes 18 notes

up
71
Dave
6 years ago
As of PHP 5.4 they changed default encoding from "ISO-8859-1" to "UTF-8". So if you get null from htmlspecialchars or htmlentities

where you have only set
<?php
echo htmlspecialchars($string);
echo
htmlentities($string);
?>

you can fix it by
<?php
echo htmlspecialchars($string, ENT_COMPAT,'ISO-8859-1', true);
echo
htmlentities($string, ENT_COMPAT,'ISO-8859-1', true);
?>

On linux you can find the scripts you need to fix by

grep -Rl "htmlspecialchars\\|htmlentities" /path/to/php/scripts/
up
49
Mike Robinson
6 years ago
Unfortunately, as far as I can tell, the PHP devs did not provide ANY way to set the default encoding used by htmlspecialchars() or htmlentities(), even though they changed the default encoding in PHP 5.4 (*golf clap for PHP devs*). To save someone the time of trying it, this does not work:

<?php
ini_set
('default_charset', $charset); // doesn't work.
?>

Unfortunately, the only way to not have to explicitly provide the second and third parameter every single time this function is called (which gets extremely tedious) is to write your own function as a wrapper:

<?php
define
('CHARSET', 'ISO-8859-1');
define('REPLACE_FLAGS', ENT_COMPAT | ENT_XHTML);

function
html($string) {
    return
htmlspecialchars($string, REPLACE_FLAGS, CHARSET);
}

echo
html("ñ"); // works
?>

You can do the same for htmlentities()
up
19
Thomasvdbulk at gmail dot com
8 years ago
i searched for a while for a script, that could see the difference between an html tag and just < and > placed in the text,
the reason is that i recieve text from a database,
wich is inserted by an html form, and contains text and html tags,
the text can contain < and >, so does the tags,
with htmlspecialchars you can validate your text to XHTML,
but you'll also change the tags, like <b> to &lt;b&gt;,
so i needed a script that could see the difference between those two...
but i couldn't find one so i made my own one,
i havent fully tested it, but the parts i tested worked perfect!
just for people that were searching for something like this,
it may looks big, could be done easier, but it works for me, so im happy.

<?php
function fixtags($text){
$text = htmlspecialchars($text);
$text = preg_replace("/=/", "=\"\"", $text);
$text = preg_replace("/&quot;/", "&quot;\"", $text);
$tags = "/&lt;(\/|)(\w*)(\ |)(\w*)([\\\=]*)(?|(\")\"&quot;\"|)(?|(.*)?&quot;(\")|)([\ ]?)(\/|)&gt;/i";
$replacement = "<$1$2$3$4$5$6$7$8$9$10>";
$text = preg_replace($tags, $replacement, $text);
$text = preg_replace("/=\"\"/", "=", $text);
return
$text;
}
?>

an example:

<?php
$string
= "
this is smaller < than this<br />
this is greater > than this<br />
this is the same = as this<br />
<a href=\"http://www.example.com/example.php?test=test\">This is a link</a><br />
<b>Bold</b> <i>italic</i> etc..."
;
echo
fixtags($string);
?>

will echo:
this is smaller &lt; than this<br />
this is greater &gt; than this<br />
this is the same = as this<br />
<a href="http://www.example.com/example.php?test=test">This is a link</a><br />
<b>Bold</b> <i>italic</i> etc...

I hope its helpfull!!
up
8
Kenneth Kin Lum
11 years ago
if your goal is just to protect your page from Cross Site Scripting (XSS) attack, or just to show HTML tags on a web page (showing <body> on the page, for example), then using htmlspecialchars() is good enough and better than using htmlentities().  A minor point is htmlspecialchars() is faster than htmlentities().  A more important point is, when we use  htmlspecialchars($s) in our code, it is automatically compatible with UTF-8 string.  Otherwise, if we use htmlentities($s), and there happens to be foreign characters in the string $s in UTF-8 encoding, then htmlentities() is going to mess it up, as it modifies the byte 0x80 to 0xFF in the string to entities like &eacute;.  (unless you specifically provide a second argument and a third argument to htmlentities(), with the third argument being "UTF-8").

The reason htmlspecialchars($s) already works with UTF-8 string is that, it changes bytes that are in the range 0x00 to 0x7F to &lt; etc, while leaving bytes in the range 0x80 to 0xFF unchanged.  We may wonder whether htmlspecialchars() may accidentally change any byte in a 2 to 4 byte UTF-8 character to &lt; etc.  The answer is, it won't.  When a UTF-8 character is 2 to 4 bytes long, all the bytes in this character is in the 0x80 to 0xFF range. None can be in the 0x00 to 0x7F range.  When a UTF-8 character is 1 byte long, it is just the same as ASCII, which is 7 bit, from 0x00 to 0x7F.  As a result, when a UTF-8 character is 1 byte long, htmlspecialchars($s) will do its job, and when the UTF-8 character is 2 to 4 bytes long, htmlspecialchars($s) will just pass those bytes unchanged.  So htmlspecialchars($s) will do the same job no matter whether $s is in ASCII, ISO-8859-1 (Latin-1), or UTF-8.
up
6
ryan at ryano dot net
18 years ago
Actually, if you're using >= 4.0.5, this should theoretically be quicker (less overhead anyway):

$text = str_replace(array("&gt;", "&lt;", "&quot;", "&amp;"), array(">", "<", "\"", "&"), $text);
up
9
ivan at lutrov dot com
8 years ago
Be careful, the "charset" argument IS case sensitive. This is counter-intuitive and serves no practical purpose because the HTML spec actually has the opposite.
up
5
php dot net at orakio dot net
11 years ago
I was recently exploring some code when I saw this being used to make data safe for "SQL".

This function should not be used to make data SQL safe (although to prevent phishing it is perfectly good).

Here is an example of how NOT to use this function:

<?php
$username
= htmlspecialchars(trim("$_POST[username]"));

$uniqueuser = $realm_db->query("SELECT `login` FROM `accounts` WHERE `login` = '$username'");
?>

(Only other check on $_POST['username'] is to make sure it isn't empty which it is after trim on a white space only name)

The problem here is that it is left to default which allows single quote marks which are used in the sql query. Turning on magic quotes might fix it but you should not rely on magic quotes, in fact you should never use it and fix the code instead. There are also problems with \ not being escaped. Even if magic quotes were used there would be the problem of allowing usernames longer than the limit and having some really weird usernames given they are to be used outside of html, this just provide a front end for registering to another system using mysql. Of course using it on the output wouldn;t cause that problem.

Another way to make something of a fix would be to use ENT_QUOTE or do:

<?php
$uniqueuser
= $realm_db->query('SELECT `login` FROM `accounts` WHERE `login` = "'.$username.'";');
?>

Eitherway none of these solutions are good practice and are not entirely unflawed. This function should simply never be used in such a fashion.

I hope this will prevent newbies using this function incorrectly (as they apparently do).
up
6
minder at ufive dot unibe dot ch
6 years ago
Problem

In many PHP legacy products the function htmlspecialchars($string) is used to convert characters like < and > and quotes a.s.o to HTML-entities. That avoids the interpretation of HTML Tags and asymmetric quote situations.

Since PHP 5.4 for $string in htmlspecialchars($string) utf8 characters are expected if no charset is defined explicitly as third parameter in the function. Legacy products are mostly in Latin1 (alias iso-8859-1) what makes the functions htmlspecialchars(), htmlentites() and html_entity_decode() to return empty strings if a special character, e. g. a German Umlaut, is present in $string:

PHP<5.4

echo htmlspecialchars('<b>Woermann</b>') //Output: &lt;b&gt;Woermann&lt;b&gt;
echo htmlspecialchars('Wörmann') //Output: &lt;b&gt;Wörmann&lt;b&gt;

PHP=5.4

echo htmlspecialchars('<b>Woermann</b>') //Output: &lt;b&gt;Woermann&lt;b&gt;
echo htmlspecialchars('<b>Wörmann</b>') //Output: empty

Three alternative solutions

a) Not runnig legacy products on PHP 5.4
b) Change all find spots in your code from
htmlspecialchars($string) and *** to
htmlspecialchars($string, ENT_COMPAT | ENT_HTML401, 'ISO-8859-1')
c) Replace all htmlspecialchars() and *** with a new self-made function

*** The same is true for htmlentities() and html_entity_decode();

Solution c

1 Make Search and Replace in the concerned legacy project:
Search for:        htmlspecialchars
Replace with:   htmlXspecialchars
Search for:        htmlentities
Replace with:   htmlXentities
Search for:        html_entity_decode
Replace with:   htmlX_entity_decode
2a Copy and paste the following three functions into an existing already everywhere included PHP-file in your legacy project. (of course that PHP-file must be included only once per request, otherwise you will get a Redeclare Function Fatal Error).

function htmlXspecialchars($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return htmlspecialchars($string, $ent, $charset);
}

function htmlXentities($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return htmlentities($string, $ent, $charset);
}

function htmlX_entity_decode($string, $ent=ENT_COMPAT, $charset='ISO-8859-1') {
return html_entity_decode($string, $ent, $charset);
}

or 2b crate a new PHP-file containing the three functions mentioned above, let's say, z. B. htmlXfunctions.inc.php and include it on the first line of every PHP-file in your legacy product like this: require_once('htmlXfunctions.inc.php').
up
6
Anonymous
10 years ago
Just a few notes on how one can use htmlspecialchars() and htmlentities() to filter user input on forms for later display and/or database storage...

1. Use htmlspecialchars() to filter text input values for html input tags.  i.e.,

echo '<input name=userdata type=text value="'.htmlspecialchars($data).'" />';


2. Use htmlentities() to filter the same data values for most other kinds of html tags, i.e.,

echo '<p>'.htmlentities($data).'</p>';

3. Use your database escape string function to filter the data for database updates & insertions, for instance, using postgresql,

pg_query($connection,"UPDATE datatable SET datavalue='".pg_escape_string($data)."'");


This strategy seems to work well and consistently, without restricting anything the user might like to type and display, while still providing a good deal of protection against a wide variety of html and database escape sequence injections, which might otherwise be introduced through deliberate and/or accidental input of such character sequences by users submitting their input data via html forms.
up
5
solar-energy
12 years ago
also see function "urlencode()", useful for passing text with ampersand and other special chars through url

(i.e. the text is encoded as if sent from form using GET method)

e.g.

<?php
echo "<a href='foo.php?text=".urlencode("foo?&bar!")."'>link</a>";
?>

produces

<a href='foo.php?text=foo%3F%26bar%21'>link</a>

and if the link is followed, the $_GET["text"] in foo.php will contain "foo?&bar!"
up
2
Felix D.
5 years ago
Another thing important to mention is that
htmlspecialchars(NULL)
returnes an empty string and not NULL!
up
3
Anonymous
10 years ago
This may seem obvious, but it caused me some frustration. If you try and use htmlspecialchars with the $charset argument set and the string you run it on is not actually the same charset you specify, you get any empty string returned without any notice/warning/error.

<?php

$ok_utf8
= "A valid UTF-8 string";
$bad_utf8 = "An invalid UTF-8 string";

var_dump(htmlspecialchars($bad_utf8, ENT_NOQUOTES, 'UTF-8'));  // string(0) ""

var_dump(htmlspecialchars($ok_utf8, ENT_NOQUOTES, 'UTF-8'));  // string(20) "A valid UTF-8 string"

?>

So make sure your charsets are consistent

<?php

$bad_utf8
= "An invalid UTF-8 string";

// make sure it's really UTF-8
$bad_utf8 = mb_convert_encoding($bad_utf8, 'UTF-8', mb_detect_encoding($bad_utf8));

var_dump(htmlspecialchars($bad_utf8, ENT_NOQUOTES, 'UTF-8'));  // string(23) "An invalid UTF-8 string"

?>

I had this problem because a Mac user was submitting posts copy/pasted from a program and it contained weird chars in it.
up
3
PoV
4 years ago
Be aware of the encoding of your source files!!!

Some of the suggestions here make reference to workarounds where you hard-code an encoding.

<?php
 
echo htmlspecialchars('<b>Wörmann</b>');  // Why isn't this working?
?>

As it turns out, it may actually be your text editor that is to blame.

As of PHP 5.4, htmlspecialchars now defaults to the UTF-8 encoding. That said, many text editors default to non-UTF encodings like ISO-8859-1 (i.e. Latin-1) or WIN-1252. If you change the encoding of the file to UTF-8, the code above will now work (i.e. the ö is encoded differently in UTF-8 and ISO-8859-1, and you need the UTF-8 version).

Make sure you are editing in UTF-8 Unicode mode! Check your UI or manual for how to convert files to Unicode. It's also a good idea to figure out where to look in your UI to see what the current file encoding is.
up
2
Anonymous
14 years ago
function htmlspecialchars_array($arr = array()) {
   $rs =  array();
   while(list($key,$val) = each($arr)) {
       if(is_array($val)) {
           $rs[$key] = htmlspecialchars_array($val);
       }
       else {
           $rs[$key] = htmlspecialchars($val, ENT_QUOTES);
       }   
   }
   return $rs;
}
up
1
qshing1437 at hotmail dot com
4 months ago
If you use htmlspecialchars() to escape any HTML attribute, make sure use double quote instead of single quote for the attribute.

For Example,

> Wrap with Single Quote
<?php
echo "<p title='"  . htmlspecialchars("Hello\"s\'world") . "'">

// title will end up Hello"s\ and rest of the text after single quote will be cut off.
?>

> Wrap with Double quote :
<?php
echo '<p title="'  . htmlspecialchars("Hello\"s\'world") . '"'>

// title will show up correctly as Hello"s'world
?>
up
1
_____ at luukku dot com
17 years ago
People, don't use ereg_replace for the most simple string replacing operations (replacing constant string with another).
Use str_replace.
up
0
support at playnext dot ru
6 years ago
For those having problems after the change of default value of $encoding argument to UTF-8 since PHP 5.4.

If your old non-UTF8 projects ruined - pls consider:
1. http://php.net/manual/en/function.override-function.php
2. http://php.net/manual/ru/function.runkit-function-redefine.php

The idea - you override the built-in htmlspecialchars() function with your customized variant which is able to respect non UTF-8 default encoding. This small piece of code can be then easily inserted somewhere at the start of yout project. No need to rewrite all htmlspecialchars() entries globally.

I've spent several hours with both approaches. Variant 1 looks good especaially in combination with http://www.php.net/manual/en/function.rename-function.php as it allows to call original htmlspecialchars() with just altered default args. The code could be as follows:

<?php
rename_function
('htmlspecialchars', 'renamed_htmlspecialchars');
function
overriden_htmlspecialchars($string, $flags=NULL, $encoding='cp1251', $double_encode=true) {
   
$flags = $flags ? $flags : (ENT_COMPAT|ENT_HTML401);
    return
renamed_htmlspecialchars($string, $flags, $encoding, $double_encode);
}
override_function('htmlspecialchars', '$string, $flags, $encoding, $double_encode', 'return overriden_htmlspecialchars($string, $flags, $encoding, $double_encode);');
?>

Unfortunatelly this didn't work for me properly - my site managed to call overriden function but not every time I reloaded the pages. Moreover other PHP sites crashed under my Apache server as they suddenly started blaming htmlspecialchars() was not defined. I suppose I had to spend more time to make it work thread/request/site/whatever-safe.

So I switched to runkit (variant 2). It worked for me, although even after trying runkit_function_rename()+runkit_function_add() I didn't managed to recall original htmlspecialchars() function. So as a quick solution I decided to call htmlentities() instead:

<?php
function overriden_htmlspecialchars($string, $flags=NULL, $encoding='UTF-8', $double_encode=true) {
   
$flags = $flags ? $flags : (ENT_COMPAT|ENT_HTML401);
   
$encoding = $encoding ? $encoding : 'cp1251';
    return
htmlentities($string, $flags, $encoding, $double_encode);
}
runkit_function_redefine('htmlspecialchars', '$string, $flags, $encoding, $double_encode', 'return overriden_htmlspecialchars($string, $flags, $encoding, $double_encode);');
?>

You may be able to implement your more powerfull overriden function.
Good luck!
up
0
nachitox2000 [at] hotmail [dot] com
9 years ago
I had problems with spanish special characters. So i think in using htmlspecialchars but my strings also contain HTML.
So I used this :) Hope it help

<?php
function htmlspanishchars($str)
{
    return
str_replace(array("&lt;", "&gt;"), array("<", ">"), htmlspecialchars($str, ENT_NOQUOTES, "UTF-8"));
}
?>
To Top