How to Use PHP htmlspecialchars() to Escape Special Characters and Prevent XSS

In modern web development, security is crucial, and one common attack vector is the injection of malicious code through special characters. PHP provides the htmlspecialchars() function to convert these characters into HTML entities, ensuring page safety and reliability.

htmlspecialchars() Function Syntax

<code>string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = TRUE ]]] )</code>

The function takes a string $string and returns the escaped version. It also accepts three optional parameters:

$flags : Determines the conversion rules. The default ENT_COMPAT | ENT_HTML401 handles HTML 4.01 special characters. Common flags include ENT_QUOTES (converts both double and single quotes) and ENT_HTML5 (converts all HTML5 special characters).

$encoding : Specifies the character encoding. By default it uses ini_get("default_charset") , typically UTF‑8.

$double_encode : Controls whether already‑escaped entities are encoded again. The default TRUE enables double‑encoding.

Usage Examples

1. Converting Special Characters

<code>$str = "<h1>Hello, World!</h1>";
$result = htmlspecialchars($str);
echo $result; // Output: &amp;lt;h1&amp;gt;Hello, World!&amp;lt;/h1&amp;gt;</code>

This example shows a string containing HTML tags being safely escaped so the tags are displayed as text rather than rendered.

2. Specifying Flags and Encoding

<code>$str = "<h1>Hello, World!</h1>";
$result = htmlspecialchars($str, ENT_QUOTES, "UTF-8");
echo $result; // Output: &amp;lt;h1&amp;gt;Hello, World!&amp;lt;/h1&amp;gt;</code>

Here $flags is set to ENT_QUOTES to escape both single and double quotes, and $encoding is set to UTF‑8.

3. Preventing Double Encoding

<code>$str = "&amp;lt;h1&amp;gt;Hello, World!&amp;lt;/h1&amp;gt;";
$result = htmlspecialchars($str, ENT_QUOTES, "UTF-8", false);
echo $result; // Output: <h1>Hello, World!</h1></code>

When the string already contains escaped entities, setting $double_encode to false avoids re‑escaping, restoring the original characters.

Important Notes

htmlspecialchars() only escapes characters inside the string; it does not modify HTML tags themselves. To strip tags, use strip_tags() .

If you provide $flags , the function follows the specified conversion rules such as ENT_COMPAT , ENT_QUOTES , or ENT_HTML5 .

When you provide $encoding , the function uses that charset (e.g., UTF‑8, ISO‑8859‑1) for conversion.

The function returns a new string; the original variable remains unchanged, so assign the result to a variable.

Conclusion

By mastering htmlspecialchars() , developers can reliably convert special characters to HTML entities, protect web pages from XSS attacks, and improve overall security and user experience.