What are the differences between htmlspecialchars()
and htmlentities()
. When should I use one or the other?
The most important difference between htmlentities and htmlspecialchars is the set of HTML characters that can be converted by these functions. The function htmlentities converts all the characters that are applicable to HTML entities. The function htmlspecialchars convert the special characters to HTML entities.
The htmlentities() function converts characters to HTML entities. Tip: To convert HTML entities back to characters, use the html_entity_decode() function. Tip: Use the get_html_translation_table() function to return the translation table used by htmlentities().
are there any cases where htmlspecialchars($input, ENT_QUOTES, 'UTF-8') (converting & , " , ' , < , > to the corresponding named HTML entities) is not enough to protect against cross-site scripting when generating HTML on a web server? Yes, this is only about HTML output.
The htmlspecialchars() function converts some predefined characters to HTML entities.
htmlspecialchars
may be used:
When there is no need to encode all characters which have their HTML equivalents.
If you know that the page encoding match the text special symbols, why would you use htmlentities
? htmlspecialchars
is much straightforward, and produce less code to send to the client.
For example:
echo htmlentities('<Il était une fois un être>.'); // Output: <Il était une fois un être>. // ^^^^^^^^ ^^^^^^^ echo htmlspecialchars('<Il était une fois un être>.'); // Output: <Il était une fois un être>. // ^ ^
The second one is shorter, and does not cause any problems if ISO-8859-1 charset is set.
When the data will be processed not only through a browser (to avoid decoding HTML entities),
If the output is XML (see the answer by Artefacto).
From the PHP documentation for htmlentities:
This function is identical to
htmlspecialchars()
in all ways, except withhtmlentities()
, all characters which have HTML character entity equivalents are translated into these entities.
From the PHP documentation for htmlspecialchars:
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use
htmlentities()
instead.
The difference is what gets encoded. The choices are everything (entities) or "special" characters, like ampersand, double and single quotes, less than, and greater than (specialchars).
I prefer to use htmlspecialchars
whenever possible.
For example:
echo htmlentities('<Il était une fois un être>.'); // Output: <Il était une fois un être>. // ^^^^^^^^ ^^^^^^^ echo htmlspecialchars('<Il était une fois un être>.'); // Output: <Il était une fois un être>. // ^ ^
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With