PHP htmlspecialchars

Summary: in this tutorial, you’ll learn how to use the PHP htmlspecialchars() function to prevent XSS attacks.

What Is XSS?

XSS stands for cross-site scripting. It’s a kind of attack where a hacker injects malicious client code into a web page’s output.

For example, if you have a comment section on your page that allows legitimate users to give comments. However, if you show the plain comments, the page is vulnerable to the XSS attack.

A hacker can enter a commment with JavaScript code that redirects users to a malicious website:

<script>location.replace('<malicious website>');</script>
Code language: PHP (php)

The website will store this comment in the database and display it in the comments section. When legitimate users access the page, it’ll redirect the users to a malicious website.

To prevent XSS attacks, you should always escape the string from unknown sources such as user inputs. To escape a string for output, you use the htmlspecialchars() function.

Introduction to the PHP htmlspecialchars() function

The htmlspecialchars() function covnerts special characters into HTML entities:

htmlspecialchars ( string $string , int $flags = ENT_COMPAT , string|null $encoding = null , bool $double_encode = true ) : string
Code language: PHP (php)

The htmlspecialchars() function accepts an input string ($string) and returns the new string with the special characters converted into HTML entities.

The following table shows the special characters that the htmlspecialchars() function will convert to HTML entities:

"Double quote&quot;, unless ENT_NOQUOTES is set
'Single quote&#039; (for ENT_HTML401 flag) or &apos; (for ENT_XML1ENT_XHTML or ENT_HTML5 flag), but only when ENT_QUOTES flag is set
<Less than&lt;
>Greater than&gt;

The $flag is a bitmask of one or more flags that controls how the function handles the special characters.

The $encoding specifies which encoding that the function should use when converting characters.

PHP htmlspecialchars() function example

The following example shows how to display a string on a page without escaping:

<?php $comment = "<script>alert('Hello there');</script>"; echo $comment;
Code language: PHP (php)

If you run the code on a web browser, you’ll see an alert message.

To escape the $comment string, you use the htmlspecialchars() function as follows:

<?php $comment = '<script>alert("Hello there");</script>'; echo htmlspecialchars($comment);
Code language: PHP (php)

Now, you’ll see the following string on the webpage instead:

<script>alert("Hello there");</script>
Code language: PHP (php)

When you view the source of the page, you’ll see the following code:


  • XSS stands for cross-site scripting, which is a type of attack that a hacker injects malicious client code into a web page’s output.
  • Use the PHP htmlspecialchars() function to convert special characters to HTML entities.
  • Always escape a string before displaying it on a webpage using the htmlspecialchars() function to prevent XSS attacks.
Did you find this tutorial useful?