CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

htmlspecialchars()

php PHP 5.0+ Beginner

Also Known As

htmlspecialchars() HTML escaping PHP XSS output encoding

TL;DR

Converts HTML special characters to entities — the primary defence against XSS in HTML output contexts.

Explanation

htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') converts <, >, &, ", and ' to their HTML entity equivalents, preventing injected text from being interpreted as HTML or JavaScript. ENT_QUOTES encodes both single and double quotes. ENT_SUBSTITUTE (PHP 8.1+) replaces invalid UTF-8 sequences with a replacement character instead of returning an empty string. Always specify the charset explicitly. This function is for HTML body and attribute contexts only — different escaping is needed for JavaScript, CSS, and URLs.

Common Misconception

htmlspecialchars() with no flags is safe for all HTML contexts. Without ENT_QUOTES, single quotes are not escaped — an attacker can break out of single-quoted HTML attributes. Always use htmlspecialchars($val, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8').

Why It Matters

htmlspecialchars() converts the five HTML special characters to entities — it is the primary defence against reflected XSS when outputting user-controlled data into HTML context.

Common Mistakes

  • Forgetting the ENT_QUOTES flag — without it, single quotes are not escaped, enabling injection in single-quoted attributes.
  • Not specifying the charset — defaults to latin-1 in older PHP, which can be bypassed with multi-byte characters.
  • Using htmlspecialchars() in non-HTML contexts (JavaScript, CSS, URLs) — each context requires different escaping.
  • Using strip_tags() instead — it removes tags but attribute-based XSS (onerror=) survives in allowed tags.

Code Examples

✗ Vulnerable 
echo '<p>' . $userInput . '</p>'; // XSS if input contains <script>
✓ Fixed 
// Always specify ENT_QUOTES and charset
echo '<p>' . htmlspecialchars($userInput, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '</p>';

// Helper function — use everywhere user data touches HTML
function e(string $s): string {
    return htmlspecialchars($s, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}

echo '<input value="' . e($_GET['q']) . '">';  // safe
echo '<a href="' . e($url) . '">' . e($label) . '</a>'; // safe

// htmlspecialchars_decode() reverses it — use only for internal data, never user input
Added 15 Mar 2026
Edited 22 Mar 2026
Views 33

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 2 pings S 0 pings M 1 ping T 1 ping W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 7 Ahrefs 4 Google 4 Majestic 1
Also referenced
Cross-Site Scripting (XSS) 29
How they use it
crawler 21 crawler_json 3
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Always use htmlspecialchars($var, ENT_QUOTES | ENT_HTML5, 'UTF-8') — ENT_QUOTES escapes both single and double quotes, and the charset prevents UTF-8 encoding attacks
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
echo $var without htmlspecialchars; htmlspecialchars without ENT_QUOTES; htmlspecialchars without charset parameter
Auto-detectable: ✓ Yes semgrep psalm phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line
CWE-79
✓ schema.org compliant