Home PHP Reference htmlspecialchars()

htmlspecialchars()

function

Converts special HTML characters to entities. Essential for preventing XSS when outputting user data.

Syntax

htmlspecialchars(string $string, int $flags = ENT_QUOTES|ENT_SUBSTITUTE): string

Example

php

<?php
$input = '<script>alert("XSS")</script>';
echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
// &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

function e(string $s): string {
    return htmlspecialchars($s, ENT_QUOTES|ENT_HTML5, 'UTF-8');
}

Always escape user data before rendering in HTML.

preg_match() / preg_replace()

array_map()