{
    "slug": "htmlspecialchars",
    "term": "htmlspecialchars()",
    "category": "php",
    "difficulty": "beginner",
    "short": "Converts HTML special characters to entities — the primary defence against XSS in HTML output contexts.",
    "long": "htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') converts <, >, &, \", and ' to their HTML entity equivalents, preventing injected text from being interpreted as HTML or JavaScript. ENT_QUOTES encodes both single and double quotes. ENT_SUBSTITUTE (PHP 8.1+) replaces invalid UTF-8 sequences with a replacement character instead of returning an empty string. Always specify the charset explicitly. This function is for HTML body and attribute contexts only — different escaping is needed for JavaScript, CSS, and URLs.",
    "aliases": [
        "htmlspecialchars()",
        "HTML escaping PHP",
        "XSS output encoding"
    ],
    "tags": [
        "php",
        "security",
        "xss",
        "output-encoding"
    ],
    "misconception": "htmlspecialchars() with no flags is safe for all HTML contexts. Without ENT_QUOTES, single quotes are not escaped — an attacker can break out of single-quoted HTML attributes. Always use htmlspecialchars($val, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8').",
    "why_it_matters": "htmlspecialchars() converts the five HTML special characters to entities — it is the primary defence against reflected XSS when outputting user-controlled data into HTML context.",
    "common_mistakes": [
        "Forgetting the ENT_QUOTES flag — without it, single quotes are not escaped, enabling injection in single-quoted attributes.",
        "Not specifying the charset — defaults to latin-1 in older PHP, which can be bypassed with multi-byte characters.",
        "Using htmlspecialchars() in non-HTML contexts (JavaScript, CSS, URLs) — each context requires different escaping.",
        "Using strip_tags() instead — it removes tags but attribute-based XSS (onerror=) survives in allowed tags."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "xss"
    ],
    "prerequisites": [
        "xss",
        "html_injection",
        "output_encoding"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.htmlspecialchars.php"
    ],
    "bad_code": "echo '<p>' . $userInput . '</p>'; // XSS if input contains <script>",
    "good_code": "// Always specify ENT_QUOTES and charset\necho '<p>' . htmlspecialchars($userInput, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '</p>';\n\n// Helper function — use everywhere user data touches HTML\nfunction e(string $s): string {\n    return htmlspecialchars($s, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');\n}\n\necho '<input value=\"' . e($_GET['q']) . '\">';  // safe\necho '<a href=\"' . e($url) . '\">' . e($label) . '</a>'; // safe\n\n// htmlspecialchars_decode() reverses it — use only for internal data, never user input",
    "quick_fix": "Always use htmlspecialchars($var, ENT_QUOTES | ENT_HTML5, 'UTF-8') — ENT_QUOTES escapes both single and double quotes, and the charset prevents UTF-8 encoding attacks",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/htmlspecialchars",
        "html_url": "https://codeclaritylab.com/glossary/htmlspecialchars",
        "json_url": "https://codeclaritylab.com/glossary/htmlspecialchars.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[htmlspecialchars()](https://codeclaritylab.com/glossary/htmlspecialchars) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/htmlspecialchars"
            }
        }
    }
}