PHP 5.4.36 Released

htmlentities

(PHP 4, PHP 5)

htmlentities適用可能な文字を全て HTML エンティティに変換する

説明

string htmlentities ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] )

この関数はhtmlspecialchars()と同じですが、 HTML エンティティと等価な意味を有する文字をHTMLエンティティに変換します。

もしデコード (逆の処理) をしたい場合、 html_entity_decode() を使用することができます。

パラメータ

string

入力文字列。

flags

以下のフラグを組み合わせたビットマスクです。 クォートや無効な符号単位シーケンス、そして文書型の扱いを指定します。 デフォルトは ENT_COMPAT | ENT_HTML401 です。

利用可能な flags 定数
定数名 説明
ENT_COMPAT ダブルクオートは変換しますがシングルクオートは変換しません。
ENT_QUOTES シングルクオートとダブルクオートを共に変換します。
ENT_NOQUOTES シングルクオートとダブルクオートは共に変換されません。
ENT_IGNORE 無効な符号単位シーケンスを含む文字列を渡したときに、 空の文字列を返すのではなく無効な部分を切り捨てるようになります。 このフラグは使わないようにしましょう。 » セキュリティの問題が発生する可能性があります
ENT_SUBSTITUTE 無効な符号単位シーケンスを含む文字列を渡したときに、 空の文字列を返すのではなく Unicode の置換文字に置き換えます。 UTF-8 の場合は U+FFFD、それ以外の場合は &#FFFD; となります。
ENT_DISALLOWED 指定した文書型において無効な符号位置を、Unicode の代替文字である U+FFFD (UTF-8) あるいは &#FFFD; で置き換えます。 これを設定しなければ、無効な符号位置をそのまま残します。 これは、外部コンテンツを埋め込んだ XML 文書を整形式に保つために有用です。
ENT_HTML401 コードを HTML 4.01 として処理します。
ENT_XML1 コードを XML 1 として処理します。
ENT_XHTML コードを XHTML として処理します。
ENT_HTML5 コードを HTML 5 として処理します。

encoding

オプションの引数。文字を変換するときに使うエンコーディングを定義します。

省略した場の encoding のデフォルト値は、varies PHP のバージョンによって異なります。 PHP 5.6.0 以降では、デフォルト値として default_charset の値を使います。PHP 5.4 と PHP 5.5 のデフォルト値は、 UTF-8 で、それより前のバージョンの PHP のデフォルト値は ISO-8859-1 でした。

技術的にはこの引数を省略可能ですが、PHP 5.5 以前のバージョンを使っている場合や、 default_charset の指定が入力とは違う文字セットになっている場合は、 適切な値を指定しておくことを強く推奨します。

以下の文字セットをサポートします。

サポートする文字セット
文字セット エイリアス 説明
ISO-8859-1 ISO8859-1 西欧、Latin-1
ISO-8859-5 ISO8859-5 ほとんど使われないキリル文字セット (Latin/Cyrillic)。
ISO-8859-15 ISO8859-15 西欧、Latin-9 。Latin-1(ISO-8859-1) に欠けている ユーロ記号やフランス・フィンランドの文字を追加したもの。
UTF-8   ASCII 互換のマルチバイト 8 ビット Unicode 。
cp866 ibm866, 866 DOS 固有のキリル文字セット。
cp1251 Windows-1251, win-1251, 1251 Windows 固有のキリル文字セット。
cp1252 Windows-1252, 1252 西欧のための Windows 固有の文字セット。
KOI8-R koi8-ru, koi8r ロシア語。
BIG5 950 繁体字中国語。主に台湾で使用されます。
GB2312 936 簡体字中国語。国の標準文字セットです。
BIG5-HKSCS   Big5 に香港の拡張を含めたもの。繁体字中国語。
Shift_JIS SJIS, SJIS-win, cp932, 932 日本語。
EUC-JP EUCJP, eucJP-win 日本語。
MacRoman   Mac OS で使われる文字セット。
''   空文字列を指定すると、 スクリプトのエンコーディング (Zend multibyte)、 default_charset、 そして現在のロケール (nl_langinfo() および setlocale() を参照ください) の順でエンコーディングを検出します。 この方法はおすすめしません。

注意: これら以外の文字セットは理解できません。 かわりにデフォルトのエンコーディングを使用し、警告を発生させます。

double_encode

double_encode をオフにすると、PHP は既存の html エンティティをエンコードしません。 デフォルトでは、既存のエンティティも含めてすべてを変換します。

返り値

エンコードした文字列を返します。

入力文字列の中に、指定した encoding で無効な符号単位シーケンスが含まれる場合は、 ENT_IGNORE あるいは ENT_SUBSTITUTE フラグが設定されていない限りは空文字列を返します。

変更履歴

バージョン 説明
5.6.0 encoding パラメータのデフォルト値が、 default_charset の設定値に変わりました。
5.4.0 encoding パラメータのデフォルトが UTF-8 に変わりました。
5.4.0 定数 ENT_SUBSTITUTEENT_DISALLOWEDENT_HTML401ENT_XML1ENT_XHTML および ENT_HTML5 が追加されました。
5.3.0 定数 ENT_IGNORE が追加されました。
5.2.3 double_encode パラメータが追加されました。

例1 htmlentities() の例

<?php
$str 
"A 'quote' is <b>bold</b>";

// 出力: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

// 出力: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($strENT_QUOTES);
?>

例2 ENT_IGNORE の使用例

<?php
$str 
"\x8F!!!";

// 出力: 空の文字列
echo htmlentities($strENT_QUOTES"UTF-8");

// 出力: "!!!"
echo htmlentities($strENT_QUOTES ENT_IGNORE"UTF-8");
?>

参考

add a note add a note

User Contributed Notes 39 notes

up
37
Sijmen Ruwhof
4 years ago
An important note below about using this function to secure your application against Cross Site Scripting (XSS) vulnerabilities.

When printing user input in an attribute of an HTML tag, the default configuration of htmlEntities() doesn't protect you against XSS, when using single quotes to define the border of the tag's attribute-value. XSS is then possible by injecting a single quote:

<?php
$_GET
['a'] = "#000' onload='alert(document.cookie)";
?>

XSS possible (insecure):

<?php
$href
= htmlEntities($_GET['a']);
print
"<body bgcolor='$href'>"; # results in: <body bgcolor='#000' onload='alert(document.cookie)'>
?>

Use the 'ENT_QUOTES' quote style option, to ensure no XSS is possible and your application is secure:

<?php
$href
= htmlEntities($_GET['a'], ENT_QUOTES);
print
"<body bgcolor='$href'>"; # results in: <body bgcolor='#000&#039; onload=&#039;alert(document.cookie)'>
?>

The 'ENT_QUOTES' option doesn't protect you against javascript evaluation in certain tag's attributes, like the 'href' attribute of the 'a' tag. When clicked on the link below, the given JavaScript will get executed:

<?php
$_GET
['a'] = 'javascript:alert(document.cookie)';
$href = htmlEntities($_GET['a'], ENT_QUOTES);
print
"<a href='$href'>link</a>"; # results in: <a href='javascript:alert(document.cookie)'>link</a>
?>
up
3
hajo-p
11 months ago
The flag ENT_HTML5 also strips newline chars like \n with htmlentities while htmlspecialchars is not affected by that.

If you want to use nl2br on that string afterwards you might end up searching the problem like i did. This does not apply to other flags like e.g. ENT_XHTML which confused me.

Tested this with PHP 5.4 / 5.5 / 5.6-dev with same results, so it seems that this is an intended "feature".
up
6
q (dot) rendeiro (at) gmail (dot) com
7 years ago
I've seen lots of functions to convert all the entities, but I needed to do a fulltext search in a db field that had named entities instead of numeric entities (edited by tinymce), so I searched the tinymce source and found a string with the value->entity mapping. So, i wrote the following function to encode the user's query with named entities.

The string I used is different of the original, because i didn't want to convert ' or ". The string is too long, so I had to cut it. To get the original check TinyMCE source and search for nbsp or other entity ;)

<?php

$entities_unmatched
= explode(',', '160,nbsp,161,iexcl,162,cent, [...] ');
$even = 1;
foreach(
$entities_unmatched as $c) {
    if(
$even) {
       
$ord = $c;
    } else {
       
$entities_table[$ord] = $c;
    }
   
$even = 1 - $even;
}

function
encode_named_entities($str) {
    global
$entities_table;
   
   
$encoded_str = '';
    for(
$i = 0; $i < strlen($str); $i++) {
       
$ent = @$entities_table[ord($str{$i})];
        if(
$ent) {
           
$encoded_str .= "&$ent;";
        } else {
           
$encoded_str .= $str{$i};
        }
    }
    return
$encoded_str;
}

?>
up
9
ustimenko dot alexander at gmail dot com
2 years ago
For those Spanish (and not only) folks, that want their national letters back after htmlentities :)

<?php
protected function _decodeAccented($encodedValue, $options = array()) {
   
$options += array(
       
'quote'     => ENT_NOQUOTES,
       
'encoding'  => 'UTF-8',
    );
    return
preg_replace_callback(
       
'/&\w(acute|uml|tilde);/',
       
create_function(
           
'$m',
           
'return html_entity_decode($m[0], ' . $options['quote'] . ', "' .
           
$options['encoding'] . '");'
       
),
       
$encodedValue
   
);
}
?>
up
6
admin at wapforum dot rs
3 years ago
A useful little function to convert the symbols in the different inputs.
<?php
function ConvertSimbols($var, $ConvertQuotes = 0) {
if (
$ConvertQuotes > 0) {
$var = htmlentities($var, ENT_NOQUOTES, 'UTF-8');
$var = str_replace('\"', '', $var);
$var = str_replace("\'", '', $var);
} else {
$var = htmlentities($var, ENT_QUOTES, 'UTF-8');
}
return
$var;
}
?>

Usage with quotes for example message:

$message = ConvertSimbols($message);

Usage without quotes for example link:

$link = ConvertSimbols($link, 1);
up
6
realcj at g mail dt com
8 years ago
If you are building a loadvars page for Flash and have problems with special chars such as " & ", " ' " etc, you should escape them for flash:

Try trace(escape("&")); in flash' actionscript to see the escape code for &;

% = %25
& = %26
' = %27

<?php
function flashentities($string){
return
str_replace(array("&","'"),array("%26","%27"),$string);
}
?>

Those are the two that concerned me. YMMV.
up
8
n at erui dot eu
2 years ago
html entities does not encode all unicode characters. It encodes what it can [all of latin1], and the others slip through. &#1033; is the nasty I use. I have searched for a function which encodes everything, but in the end I wrote this. This is as simple as I can get it. Consult an ansii table to custom include/omit chars you want/don't. I'm sure it's not that fast.

// Unicode-proof htmlentities.
// Returns 'normal' chars as chars and weirdos as numeric html entites.
function superentities( $str ){
    // get rid of existing entities else double-escape
    $str = html_entity_decode(stripslashes($str),ENT_QUOTES,'UTF-8');
    $ar = preg_split('/(?<!^)(?!$)/u', $str );  // return array of every multi-byte character
    foreach ($ar as $c){
        $o = ord($c);
        if ( (strlen($c) > 1) || /* multi-byte [unicode] */
            ($o <32 || $o > 126) || /* <- control / latin weirdos -> */
            ($o >33 && $o < 40) ||/* quotes + ambersand */
            ($o >59 && $o < 63) /* html */
        ) {
            // convert to numeric entity
            $c = mb_encode_numericentity($c,array (0x0, 0xffff, 0, 0xffff), 'UTF-8');
        }
        $str2 .= $c;
    }
    return $str2;
}
up
5
Waygood
3 years ago
When putting values inside comment tags <!-- --> you should replace -- with &#45;&#45; too, as this would end your tag and show the rest of the comment.
up
2
keenskelly at gmail dot com
6 years ago
Correction to my previous post: the set of ENTITY declarations must be inside a <!DOCTYPE element; also &nbsp; is NOT pre-defined in XML and must be left in the entity list. I also extended the list with the windows 1252 character set using a sample function borrowed from php.net user comments and extended with euro entity which we need for our app. Here is the final code that is in our production app:

<?php

// Generate a list of entity declarations from the HTML_ENTITIES set that PHP knows about to dump into the document
function htmlentities_entities() {
       
$output = "<!DOCTYPE html [\n";
        foreach (
get_html_translation_table_CP1252(HTML_ENTITIES) as $value) {
               
$name = substr($value, 1, strlen($value) - 2);
                switch (
$name) {
                       
// These ones we can skip because they're built into XML
                       
case 'gt':
                        case
'lt':
                        case
'quot':
                        case
'apos':
                        case
'amp': break;
                        default:
$output .= "<!ENTITY {$name} \"&{$name};\">\n";
                }
        }
       
$output .= "]>\n";
        return(
$output);
}

// ref: http://php.net/manual/en/function.get-html-translation-table.php#76564
function get_html_translation_table_CP1252($type) {
       
$trans = get_html_translation_table($type);
       
$trans[chr(130)] = '&sbquo;';    // Single Low-9 Quotation Mark
       
$trans[chr(131)] = '&fnof;';    // Latin Small Letter F With Hook
       
$trans[chr(132)] = '&bdquo;';    // Double Low-9 Quotation Mark
       
$trans[chr(133)] = '&hellip;';    // Horizontal Ellipsis
       
$trans[chr(134)] = '&dagger;';    // Dagger
       
$trans[chr(135)] = '&Dagger;';    // Double Dagger
       
$trans[chr(136)] = '&circ;';    // Modifier Letter Circumflex Accent
       
$trans[chr(137)] = '&permil;';    // Per Mille Sign
       
$trans[chr(138)] = '&Scaron;';    // Latin Capital Letter S With Caron
       
$trans[chr(139)] = '&lsaquo;';    // Single Left-Pointing Angle Quotation Mark
       
$trans[chr(140)] = '&OElig;';    // Latin Capital Ligature OE
       
$trans[chr(145)] = '&lsquo;';    // Left Single Quotation Mark
       
$trans[chr(146)] = '&rsquo;';    // Right Single Quotation Mark
       
$trans[chr(147)] = '&ldquo;';    // Left Double Quotation Mark
       
$trans[chr(148)] = '&rdquo;';    // Right Double Quotation Mark
       
$trans[chr(149)] = '&bull;';    // Bullet
       
$trans[chr(150)] = '&ndash;';    // En Dash
       
$trans[chr(151)] = '&mdash;';    // Em Dash
       
$trans[chr(152)] = '&tilde;';    // Small Tilde
       
$trans[chr(153)] = '&trade;';    // Trade Mark Sign
       
$trans[chr(154)] = '&scaron;';    // Latin Small Letter S With Caron
       
$trans[chr(155)] = '&rsaquo;';    // Single Right-Pointing Angle Quotation Mark
       
$trans[chr(156)] = '&oelig;';    // Latin Small Ligature OE
       
$trans[chr(159)] = '&Yuml;';    // Latin Capital Letter Y With Diaeresis
       
$trans['euro'] = '&euro;';    // euro currency symbol
       
ksort($trans);
        return
$trans;
}

?>

[EDIT BY danbrown AT php DOT net: The user's original note contained the following text:

"So here's something fun: if you create an XML document in PHP and use htmlentities() to encode text data, then later want to read and parse the same document with PHP's xml_parse(), unless you include entity declarations into the generated document, the parser will stop on the unknown entities.

To account for this, I created a small function to take the translation table and turn it into XML <!ENTITY> definitions. I insert this output into the XML document immediately after the <?xml?> line and the parse errors magically vanish"
]
up
4
steve at mcdragonsoftware dot com
3 years ago
I'm glad 5.4 has xml support, but many of us are working with older installations, some of us still have to use PHP4. If you're like me you've been frustrated with trying to use htmlentites/htmlspecial chars with xml output. I was hoping to find an option to force numeric encoding, lacking that, I have written my own xmlencode function, which I now offer:

usage:

$string xmlencode( $string )

it will use htmlspecialchars for the valid xml entities amp, quote, lt, gt, (apos) and return the numeric entity for all other non alpha-numeric characters.

-------------------------------------------

<?php
if( !function_exists( 'xmlentities' ) ) {
    function
xmlentities( $string ) {
       
$not_in_list = "A-Z0-9a-z\s_-";
        return
preg_replace_callback( "/[^{$not_in_list}]/" , 'get_xml_entity_at_index_0' , $string );
    }
    function
get_xml_entity_at_index_0( $CHAR ) {
        if( !
is_string( $CHAR[0] ) || ( strlen( $CHAR[0] ) > 1 ) ) {
            die(
"function: 'get_xml_entity_at_index_0' requires data type: 'char' (single character). '{$CHAR[0]}' does not match this type." );
        }
        switch(
$CHAR[0] ) {
            case
"'":    case '"':    case '&':    case '<':    case '>':
                return
htmlspecialchars( $CHAR[0], ENT_QUOTES );    break;
            default:
                return
numeric_entity_4_char($CHAR[0]);                break;
        }       
    }
    function
numeric_entity_4_char( $char ) {
        return
"&#".str_pad(ord($char), 3, '0', STR_PAD_LEFT).";";
    }   
}
?>
up
4
za at byza dot it
6 years ago
Trouble when using files with different charset?

htmlentities and html_entity_decode can be used to translate between charset!

Sample function:

<?php
function utf2latin($text) {
  
$text=htmlentities($text,ENT_COMPAT,'UTF-8');
   return
html_entity_decode($text,ENT_COMPAT,'ISO-8859-1');
}
?>
up
6
wd at NOSPAMwd dot it
3 years ago
Hi there,

after several and several tests, I figured out that dot:

- htmlentities() function remove characters like "à","è",etc when you specify a flag and a charset

- htmlentities() function DOES NOT remove characters like those above when you DO NOT specify anything

So, let's assume that..

<?php

$str
= "Hèèèllooo";

$res_1 = htmlentities($str, ENT_QUOTES, "UTF-8");
$res_2 = htmlentities($str);

echo
var_dump($res_1); // Result: string '' (length=0)
echo var_dump($res_2); // string 'H&egrave;&egrave;&egrave;llooo' (length=30)

?>

I used this for a textarea content for comments. Anyway, note that using the "$res_2" form the function will leave unconverted single/double quotes. At this point you should use str_replace() function to perform the characters but be careful because..

<?php

$str
= "'Hèèèllooo'";

$res_2 = str_replace("'","&#039;",$str);
$res_2 = htmlentities($str);
echo
var_dump($res_2); // string '&amp;#039;H&egrave;&egrave;&egrave;llooo&amp;#039;'

$res_3 = htmlentities($str);
$res_3 = str_replace("'","&#039;",$res_3);
echo
var_dump($res_3); // string '&#039;H&egrave;&egrave;&egrave;llooo&#039;' --> Nice
?>

Hope it will helps you.

Regards,
W.D.
up
5
h_guillaume at hotmail dot com
4 years ago
I use this function to encode all the xml entities and also all the &something; that are not defined in xml like &trade;
You can also decode what you encode with my decode function.
My function works a little like the htmlentities.
You can also add other string to the array if you want to exclude them from the encoding.

<?php
function xml_entity_decode($text, $charset = 'Windows-1252'){
   
// Double decode, so if the value was &amp;trade; it will become Trademark
   
$text = html_entity_decode($text, ENT_COMPAT, $charset);
   
$text = html_entity_decode($text, ENT_COMPAT, $charset);
    return
$text;
}

function
xml_entities($text, $charset = 'Windows-1252'){
    
// Debug and Test
    // $text = "test &amp; &trade; &amp;trade; abc &reg; &amp;reg; &#45;";
   
    // First we encode html characters that are also invalid in xml
   
$text = htmlentities($text, ENT_COMPAT, $charset, false);
   
   
// XML character entity array from Wiki
    // Note: &apos; is useless in UTF-8 or in UTF-16
   
$arr_xml_special_char = array("&quot;","&amp;","&apos;","&lt;","&gt;");
   
   
// Building the regex string to exclude all strings with xml special char
   
$arr_xml_special_char_regex = "(?";
    foreach(
$arr_xml_special_char as $key => $value){
       
$arr_xml_special_char_regex .= "(?!$value)";
    }
   
$arr_xml_special_char_regex .= ")";
   
   
// Scan the array for &something_not_xml; syntax
   
$pattern = "/$arr_xml_special_char_regex&([a-zA-Z0-9]+;)/";
   
   
// Replace the &something_not_xml; with &amp;something_not_xml;
   
$replacement = '&amp;${1}';
    return
preg_replace($pattern, $replacement, $text);
}
?>
up
3
robin at robinwinslow dot co dot uk
3 years ago
htmlentities seems to have changed at some point between version 5.1.6 and 5.3.3, such that it now returns an empty string for anything containing a pound sign:

$ php -v
PHP 5.1.6 (cli) (built: May 22 2008 09:08:44)
$ php -r "echo htmlentities('£hello', null, 'utf-8');"
&pound;hello
$

$ php -v
PHP 5.3.3 (cli) (built: Aug 19 2010 12:07:49)
$ php -r "echo htmlentities('£hello', null, 'utf-8');"
$

(Returns an empty string the second time)

Just a heads up.
up
4
edo at edwaa dot com
9 years ago
A version of the xml entities function below. This one replaces the "prime" character (′) with which I had difficulties.

<?php
// XML Entity Mandatory Escape Characters
function xmlentities($string) {
   return
str_replace ( array ( '&', '"', "'", '<', '>', '�' ), array ( '&amp;' , '&quot;', '&apos;' , '&lt;' , '&gt;', '&apos;' ), $string );
}
?>
up
2
D. Gasser
7 years ago
When using UTF-8 as charset, you'll have to set UTF-8 in braces, otherwise the varaible is not recognized.
up
1
sirarthur at sirarthur dot info
5 years ago
When happens that you want to encode special characters but not the HTML tags using this function you've two options:

a) Build your own function and go replace by character; eg.

<?php
 
for($i = 0; $i < strlen($string); $i++){
     switch(
substr($string,$i,1)){
       
//..... A VERY HUGE switch here with all characters to encode.
   
}
}
?>

b) use this function and simple restore the html tags afterwards. Which gives you a 6 line function as follow:

<?php
 
function keephtml($string){
         
$res = htmlentities($string);
         
$res = str_replace("&lt;","<",$res);
         
$res = str_replace("&gt;",">",$res);
         
$res = str_replace("&quot;",'"',$res);
         
$res = str_replace("&amp;",'&',$res);
          return
$res;
}
?>
up
1
snevi at im dot com dot ve
6 years ago
correction to my previous post and improvement of the function: (the post was changed by the html parser and the characters displays as they should not)

<?php
   
function XMLEntities($string)
    {
       
$string = preg_replace('/[^\x09\x0A\x0D\x20-\x7F]/e', '_privateXMLEntities("$0")', $string);
        return
$string;
    }

    function
_privateXMLEntities($num)
    {
   
$chars = array(
       
128 => '&#8364;',
       
130 => '&#8218;',
       
131 => '&#402;',
       
132 => '&#8222;',
       
133 => '&#8230;',
       
134 => '&#8224;',
       
135 => '&#8225;',
       
136 => '&#710;',
       
137 => '&#8240;',
       
138 => '&#352;',
       
139 => '&#8249;',
       
140 => '&#338;',
       
142 => '&#381;',
       
145 => '&#8216;',
       
146 => '&#8217;',
       
147 => '&#8220;',
       
148 => '&#8221;',
       
149 => '&#8226;',
       
150 => '&#8211;',
       
151 => '&#8212;',
       
152 => '&#732;',
       
153 => '&#8482;',
       
154 => '&#353;',
       
155 => '&#8250;',
       
156 => '&#339;',
       
158 => '&#382;',
       
159 => '&#376;');
       
$num = ord($num);
        return ((
$num > 127 && $num < 160) ? $chars[$num] : "&#".$num.";" );
    }
?>

in the previous post, to correct the HEX values that are not rendered, the program use a for each cicle, but that introduces a mayor complexity in execution time, so, we use the ability to call functions in the preg_replace second parameter, and ceate another funcion that evaluates the ord of the character given, and if it is between 127 and 160 it returns the modified HEX value to be understood by the browser and not brake the XML
(this work with dynamic XML generated form php with dynamic data from any source)

p.d: the '&'(&) should appear in this post as a single ampersand character and not as the html entity
up
1
marktpitman at gmail dot com
7 years ago
I just thought I would add that if you're using the default charset, htmlentities will not correctly return the trademark ( ™ ) sign.

Instead it will return something like this: �

If you need the trademark symbol, use:

<?php htmlentities( $html, ENT_QUOTES, "UTF-8" ); ?>
up
1
daviscabral[arroba]gmail[ponto]com
8 years ago
unhtmlentities for all entities:

<?php

function unhtmlentities ($string) {
  
$trans_tbl1 = get_html_translation_table (HTML_ENTITIES);
   foreach (
$trans_tbl1 as $ascii => $htmlentitie ) {
       
$trans_tbl2[$ascii] = '&#'.ord($ascii).';';
   }
  
$trans_tbl1 = array_flip ($trans_tbl1);
  
$trans_tbl2 = array_flip ($trans_tbl2);
   return
strtr (strtr ($string, $trans_tbl1), $trans_tbl2);
}

?>
up
3
Tom Walter
6 years ago
Note that as of 5.2.5 it appears that if the input string contains a character that is not valid for the output encoding you've specified, then this function returns null.

You might expect it to just strip the invalid char, but it doesn't.

You can strip the chars yourself like so:

iconv('utf-8','utf-8',$str);

You can combine that with htmlentities also:

$str = htmlentities(iconv('UTF-8', 'UTF-8//IGNORE', $str, ENT_QUOTES, 'UTF-8');

Should give you a string with htmlentities encoded to utf-8, and any unsupported chars stripped.
up
3
jake_mcmahon at hotmail dot com
10 years ago
This fuction is particularly useful against XSS (cross-site-scripting-). XSS makes use of holes in code, whether it be in Javascript or PHP. XSS often, if not always, uses HTML entities to do its evil deeds, so this function in co-operation with your scripts (particularly search or submitting scripts) is a very useful tool in combatting "H4X0rz".
up
2
gunter [dot] sammet [at] gmail [dot] com
5 years ago
Had a heck of a time to get my rss entities right. using htmlentities didn't work and using html_entity_decode didn't work either. Ended up writing a custom function to encode and decode. It might still need some work but I thought to share it because I couldn't find anything on the net. Always open for suggestions to improve it! Here it is:

<?php
  $entity_custom_from
= false;
 
$entity_custom_to = false;
  function
html_entity_decode_encode_rss($data) {
    global
$entity_custom_from, $entity_custom_to;
    if(!
is_array($entity_custom_from) || !is_array($entity_custom_to)){
     
$array_position = 0;
      foreach (
get_html_translation_table(HTML_ENTITIES) as $key => $value) {
       
//print("<br />key: $key, value: $value <br />\n");
       
switch ($value) {
         
// These ones we can skip
         
case '&nbsp;':
            break;
          case
'&gt;':
          case
'&lt;':
          case
'&quot;':
          case
'&apos;':
          case
'&amp;':
           
$entity_custom_from[$array_position] = $key;
           
$entity_custom_to[$array_position] = $value;
           
$array_position++;
            break;
          default:
           
$entity_custom_from[$array_position] = $value;
           
$entity_custom_to[$array_position] = $key;
           
$array_position++;
        }
      }
    }
    return
str_replace($entity_custom_from, $entity_custom_to, $data);
  }
?>
up
1
Kenneth Kin Lum
6 years ago
use htmlspecialchars() if you are passing in a usual ASCII string.  It is faster than htmlentities().

For example, if you are just doing

htmlentities('<div style="background: #fff"></div>');

then you can just use htmlspecialchars().  htmlentities() will look for all possible ways to convert string into html entities, such as &copy; or &eacute; (which is e with an acute accent on top).

Note that ASCII is just 7 bit, which is 0x00 to 0x7F.  htmlspecialchars() will handle characters inside this range already.  htmlentities() is for the 8-bit Latin-1 (ISO-8859-1) to handle European characters, or for UTF-8 when the 3rd argument is "UTF-8" to handle UTF-8 characters, or other types of encodings using different values for the 3rd argument passed into htmlentities().
up
1
info at pirandot dot de
8 years ago
The data returned by a text input field is ready to be used in a data base query when enclosed in single quotes, e.g.
<?php
   mysql_query
("SELECT * FROM Article WHERE id = '$data'");
?>
But you will get problems when writing back this data into the input field's value,
<?php
  
echo "<input name='data' type='text' value='$data'>";
?>
because hmtl codes would be interpreted and escape sequences would cause strange output.

The following function may help:
<?php
function deescape ($s, $charset='UTF-8')
{
  
//  don't interpret html codes and don't convert quotes
  
$s  htmlentities ($s, ENT_NOQUOTES, $charset);

  
//  delete the inserted backslashes except those for protecting single quotes
  
$s  preg_replace ("/\\\\([^'])/e", '"&#" . ord("$1") . ";"', $s);

  
//  delete the backslashes inserted for protecting single quotes
  
$s  str_replace ("\\'", "&#" . ord ("'") . ";", $s);

   return 
$s;
}
?>
Try some input like:  a'b"c\d\'e\"f\\g&x#27;h  to test ...
up
1
php dot net at softmoon-webware dot com
4 years ago
<?php
$HTML_ENTS
=array("quot", "amp", "apos", "lt", "gt", "nbsp", "iexcl", "cent",
"pound","curren", "yen", "brvbar", "sect", "uml", "copy", "ordf", "laquo",
"not", "shy", "reg", "macr", "deg", "plusmn", "sup2", "sup3", "acute",
"micro", "para", "middot", "cedil", "sup1", "ordm", "raquo", "frac14",
"frac12", "frac34", "iquest", "Agrave", "Aacute", "Acirc", "Atilde", "Auml",
"Aring", "AElig", "Ccedil", "Egrave", "Eacute", "Ecirc", "Euml", "Igrave",
"Iacute", "Icirc", "Iuml", "ETH", "Ntilde", "Ograve", "Oacute", "Ocirc",
"Otilde", "Ouml", "times", "Oslash", "Ugrave", "Uacute", "Ucirc", "Uuml",
"Yacute", "THORN", "szlig", "agrave", "aacute", "acirc", "atilde", "auml",
"aring", "aelig", "ccedil", "egrave", "eacute", "ecirc", "euml", "igrave",
"iacute", "icirc", "iuml", "eth", "ntilde", "ograve", "oacute", "ocirc",
"otilde", "ouml", "divide", "oslash", "ugrave", "uacute", "ucirc", "uuml",
"yacute", "thorn", "yuml", "OElig", "oelig", "Scaron", "scaron", "Yuml",
"fnof", "circ", "tilde", "Alpha", "Beta", "Gamma", "Delta", "Epsilon",
"Zeta", "Eta", "Theta", "Iota", "Kappa", "Lambda", "Mu", "Nu", "Xi",
"Omicron", "Pi", "Rho", "Sigma", "Tau", "Upsilon", "Phi", "Chi", "Psi",
"Omega", "alpha", "beta", "gamma", "delta", "epsilon", "zeta", "eta",
"theta", "iota", "kappa", "lambda", "mu", "nu", "xi", "omicron", "pi",
"rho", "sigmaf", "sigma", "tau", "upsilon", "phi", "chi", "psi", "omega",
"thetasym", "upsih", "piv", "ensp", "emsp", "thinsp", "zwnj", "zwj", "lrm",
"rlm", "ndash", "mdash", "lsquo", "rsquo", "sbquo", "ldquo", "rdquo",
"bdquo", "dagger", "Dagger", "bull", "hellip", "permil", "prime", "Prime",
"lsaquo", "rsaquo", "oline", "frasl", "euro", "image", "weierp", "real",
"trade", "alefsym", "larr", "uarr", "rarr", "darr", "harr", "crarr", "lArr",
"uArr", "rArr", "dArr", "hArr", "forall", "part", "exist", "empty", "nabla",
"isin", "notin", "ni", "prod", "sum", "minus", "lowast", "radic", "prop",
"infin", "ang", "and", "or", "cap", "cup", "int", "there4", "sim", "cong",
"asymp", "ne", "equiv", "le", "ge", "sub", "sup", "nsub", "sube", "supe",
"oplus", "otimes", "perp", "sdot", "lceil", "rceil", "lfloor",
"rfloor", "lang", "rang", "loz", "spades", "clubs", "hearts", "diams");

// The selection of tags below is optimized for use with a webmaster's database,
// --NOT-- to process user POSTs from the World Wide Web
//  for inclusion on a public page.

//  NOT included:
//   form,  input,  select,  option,  label,  optgroup,  textarea,  area,  map,
//   html,  head,  style,  link,  meta,  base,  body,  isindex,
//   frame,  frameset,  noframes
//  (include those above at your wish,  remove those below at your wish)
$HTML_TAGS=array("a", "abbr", "acronym", "address", "applet", "b", "basefont",
"bdo", "big", "blockquote", "br", "button", "caption", "center", "cite",
"code", "col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt", "em",
"embed", "fieldset", "font", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i",
"iframe", "img", "ins", "kbd", "legend", "li", "menu", "noembed", "noscript",
"object", "ol", "p", "param", "pre", "q", "s", "samp", "script", "small",
"span", "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot",
"th", "thead", "title", "tr", "tt", "u", "ul", "var");

$Xchars = array(
128 => '&#8364;',
130 => '&#8218;',
131 => '&#402;',
132 => '&#8222;',
133 => '&#8230;',
134 => '&#8224;',
135 => '&#8225;',
136 => '&#710;',
137 => '&#8240;',
138 => '&#352;',
139 => '&#8249;',
140 => '&#338;',
142 => '&#381;',
145 => '&#8216;',
146 => '&#8217;',
147 => '&#8220;',
148 => '&#8221;',
149 => '&#8226;',
150 => '&#8211;',
151 => '&#8212;',
152 => '&#732;',
153 => '&#8482;',
154 => '&#353;',
155 => '&#8250;',
156 => '&#339;',
158 => '&#382;',
159 => '&#376;');
?>
up
2
phil at lavin dot me dot uk
4 years ago
The following will make a string completely safe for XML:

<?php
function philsXMLClean($strin) {
       
$strout = null;

        for (
$i = 0; $i < strlen($strin); $i++) {
               
$ord = ord($strin[$i]);

                if ((
$ord > 0 && $ord < 32) || ($ord >= 127)) {
                       
$strout .= "&amp;#{$ord};";
                }
                else {
                        switch (
$strin[$i]) {
                                case
'<':
                                       
$strout .= '&lt;';
                                        break;
                                case
'>':
                                       
$strout .= '&gt;';
                                        break;
                                case
'&':
                                       
$strout .= '&amp;';
                                        break;
                                case
'"':
                                       
$strout .= '&quot;';
                                        break;
                                default:
                                       
$strout .= $strin[$i];
                        }
                }
        }

        return
$strout;
}
?>
up
1
rq
1 year ago
For use of html  tags, ampersands, etc. in xml document

(f.e.

<xml>

<xmltag1><span class="data1"> data 1</span> & data2</xmltag1>

</xml>

)

one can use the CDATA brackets:

<xmltag1><![CDATA[<span class="data1"> data 1</span> & data2]]></xmltag1>

-rq
up
2
brianhamner at yahoo dot com
5 years ago
If you want something simple that actually works, try this. Strips MS word and other entities and returns a clear data string:

<?php
//call this function

function DoHTMLEntities ($string) {
   
$trans_tbl[chr(145)] = '&#8216;';
   
$trans_tbl[chr(146)] = '&#8217;';
   
$trans_tbl[chr(147)] = '&#8220;';
   
$trans_tbl[chr(148)] = '&#8221;';
   
$trans_tbl[chr(142)] = '&eacute;';
   
$trans_tbl[chr(150)] = '&#8211;';
   
$trans_tbl[chr(151)] = '&#8212;';
    return
strtr ($string, $trans_tbl);
}

//insert your string variable here

       
$foo = str_replace("\r\n\r\n","",htmlentities($your_string));
       
$foo2 = str_replace("\r\n"," ",$foo);
       
$foo3 = str_replace(" & ","&amp;",$foo2);
        echo
DoHTMLEntities ($foo3);
?>
up
0
Wired
4 years ago
I needed a simple little function to take a string and convert extended ascii characters into html entities. I couldn't find a function for this so I whipped one up.

<?php
/* Convert Extended ASCII Characters to HTML Entities */
function ascii2entities($string){
    for(
$i=128;$i<=255;$i++){
       
$entity = htmlentities(chr($i), ENT_QUOTES, 'cp1252');
       
$temp = substr($entity, 0, 1);
       
$temp .= substr($entity, -1, 1);
        if (
$temp != '&;'){
           
$string = str_replace(chr($i), '', $string);
        }
        else{
           
$string = str_replace(chr($i), $entity, $string);
        }
    }
    return
$string;
}

echo
ascii2entities("•");
?>
up
0
montana
5 years ago
under what circumstances would someone want a ntilde [ñ] to be converted into "ñ" as htmlentities does?
the correct method of translation should return the accurate NCR for the multibyte unicode sequence
which in this case is &#241;

<?php

   
//simple task: convert everything from utf-8 into an NCR[numeric character reference]
   
class unicode_replace_entities {
        public function
UTF8entities($content="") {
           
$contents = $this->unicode_string_to_array($content);
           
$swap = "";
           
$iCount = count($contents);
            for (
$o=0;$o<$iCount;$o++) {
               
$contents[$o] = $this->unicode_entity_replace($contents[$o]);
               
$swap .= $contents[$o];
            }
            return
mb_convert_encoding($swap,"UTF-8"); //not really necessary, but why not.
       
}

        public function
unicode_string_to_array( $string ) { //adjwilli
           
$strlen = mb_strlen($string);
            while (
$strlen) {
               
$array[] = mb_substr( $string, 0, 1, "UTF-8" );
               
$string = mb_substr( $string, 1, $strlen, "UTF-8" );
               
$strlen = mb_strlen( $string );
            }
            return
$array;
        }

        public function
unicode_entity_replace($c) { //m. perez
           
$h = ord($c{0});   
            if (
$h <= 0x7F) {
                return
$c;
            } else if (
$h < 0xC2) {
                return
$c;
            }
           
            if (
$h <= 0xDF) {
               
$h = ($h & 0x1F) << 6 | (ord($c{1}) & 0x3F);
               
$h = "&#" . $h . ";";
                return
$h;
            } else if (
$h <= 0xEF) {
               
$h = ($h & 0x0F) << 12 | (ord($c{1}) & 0x3F) << 6 | (ord($c{2}) & 0x3F);
               
$h = "&#" . $h . ";";
                return
$h;
            } else if (
$h <= 0xF4) {
               
$h = ($h & 0x0F) << 18 | (ord($c{1}) & 0x3F) << 12 | (ord($c{2}) & 0x3F) << 6 | (ord($c{3}) & 0x3F);
               
$h = "&#" . $h . ";";
                return
$h;
            }
        }
    }
//
   
    //utf-8 environment   
   
$content = "<strong>baño baño baño</strong>日本語 = nihongo da ze.<br />";

   
$oUnicodeReplace = new unicode_replace_entities();
   
$content = $oUnicodeReplace->UTF8entities($content);
    echo
"<br />Result:<br />";
    echo
$content;
   
$source = htmlentities($content);
    echo
"<br />htmlentities of resulting data:<br />";
    echo
$source;

    echo
"<br /><br />Note: Entities get replaced with 'literals' in textarea FF3<br /><br />";
    echo
"<textarea style='width:300px;height:150px;'>";
    echo
$content;
    echo
"</textarea>";
   
    echo
"<br /><br />For editing NCR's rather than 'literals' in a textarea<br /><br />";
    echo
"<textarea style='width:300px;height:150px;'>";
    echo
preg_replace("/(&#)+/","&amp;#",$content); 
    echo
"</textarea>";

?>
up
1
info at bleed dot ws
9 years ago
here the centralized version of htmlentities() for multibyte.

<?php
function mb_htmlentities($string)
{
   
$string = htmlentities($string, ENT_COMPAT, mb_internal_encoding());
    return
$string;
}

?>
up
0
Bassie (:
11 years ago
Note that you'll have use htmlentities() before any other function who'll edit text like nl2br().

If you use nl2br() first, the htmlentities() function will change < br > to &lt;br&gt;.
up
-1
drallen at cs dot uwaterloo dot ca
4 years ago
A pointer to http://www.php.net/manual/en/function.mb-convert-encoding.php if your intention is to translate *all* characters in a charset to their corresponding HTML entities, not just named characters. Non-named characters will be replaced with HTML numeric encoding. eg:

$text = mb_convert_encoding($text, 'HTML-ENTITIES', "UTF-8");
up
-2
galert420 at gmail dot com
4 years ago
Croatian entites

<?php
$ent
= array(
   
'Ć'=>'&#262;',
   
'ć'=>'&#263;',
   
'Č'=>'&#268;',
   
'č'=>'&#269;',
   
'Đ'=>'&#272',
   
'đ'=>'&#273',
   
'Š'=>'&#352',
   
'š'=>'&#353',
   
'Ž'=>'&#381',
   
'ž'=>'&#382'
);

echo
strtr('ĆćČčĐ𩹮ž', $ent);
?>
up
-2
mzvarik at gmail dot com
5 years ago
CZECH entities:

<?php
$ent
= array(
   
'ě' => '&#283;',
   
'Ě' => '&#282;',
   
'š' => '&#353;',
   
'Š' => '&#352;',
   
'č' => '&#269;',
   
'Č' => '&#268;',
   
'ř' => '&#345;',
   
'Ř' => '&#344;',
   
'ž' => '&#382;',
   
'Ž' => '&#381;',
   
'ý' => '&#253;',
   
'Ý' => '&#221;',
   
'á' => '&#225;',
   
'Á' => '&#193;',
   
'í' => '&#237;',
   
'Í' => '&#205;',
   
'é' => '&#233;',
   
'É' => '&#201;',
   
'ú' => '&#250;',
   
'ů' => '&#367;',
   
'Ů' => '&#366;',
   
'ď' => '&#271;',
   
'Ď' => '&#270;',
   
'ť' => '&#357;',
   
'Ť' => '&#356;',
   
'ň' => '&#328;',
   
'Ň' => '&#327;'
);

echo
strtr('ěščřžýáíéúůďťňĚŠČŘŽÝÁÍÉÚŮĎŤŇ', $ent);
?>
up
-4
kindrosker at gmail dot com
3 years ago
All Codes list

array('À'=>'&Agrave;', 'à'=>'&agrave;', 'Á'=>'&Aacute;', 'á'=>'&aacute;', 'Â'=>'&Acirc;', 'â'=>'&acirc;', 'Ã'=>'&Atilde;', 'ã'=>'&atilde;', 'Ä'=>'&Auml;', 'ä'=>'&auml;', 'Å'=>'&Aring;', 'å'=>'&aring;', 'Æ'=>'&AElig;', 'æ'=>'&aelig;', 'Ç'=>'&Ccedil;', 'ç'=>'&ccedil;', 'Ð'=>'&ETH;', 'ð'=>'&eth;', 'È'=>'&Egrave;', 'è'=>'&egrave;', 'É'=>'&Eacute;', 'é'=>'&eacute;', 'Ê'=>'&Ecirc;', 'ê'=>'&ecirc;', 'Ë'=>'&Euml;', 'ë'=>'&euml;', 'Ì'=>'&Igrave;', 'ì'=>'&igrave;', 'Í'=>'&Iacute;', 'í'=>'&iacute;', 'Î'=>'&Icirc;', 'î'=>'&icirc;', 'Ï'=>'&Iuml;', 'ï'=>'&iuml;', 'Ñ'=>'&Ntilde;', 'ñ'=>'&ntilde;', 'Ò'=>'&Ograve;', 'ò'=>'&ograve;', 'Ó'=>'&Oacute;', 'ó'=>'&oacute;', 'Ô'=>'&Ocirc;', 'ô'=>'&ocirc;', 'Õ'=>'&Otilde;', 'õ'=>'&otilde;', 'Ö'=>'&Ouml;', 'ö'=>'&ouml;', 'Ø'=>'&Oslash;', 'ø'=>'&oslash;', 'Œ'=>'&OElig;', 'œ'=>'&oelig;', 'ß'=>'&szlig;', 'Þ'=>'&THORN;', 'þ'=>'&thorn;', 'Ù'=>'&Ugrave;', 'ù'=>'&ugrave;', 'Ú'=>'&Uacute;', 'ú'=>'&uacute;', 'Û'=>'&Ucirc;', 'û'=>'&ucirc;', 'Ü'=>'&Uuml;', 'ü'=>'&uuml;', 'Ý'=>'&Yacute;', 'ý'=>'&yacute;', 'Ÿ'=>'&Yuml;', 'ÿ'=>'&yuml;');
up
-3
anonymous
8 years ago
This function will encode anything that is non Standard ASCII (that is, that is above #127 in the ascii table)

<?php
// allhtmlentities : mainly based on "chars_encode()"  by Tim Burgan <timburgan@gmail.com> [http://www.php.net/htmlentities]
function allhtmlentities($string) {
    if (
strlen($string) == 0 )
        return
$string;
   
$result = '';
   
$string = htmlentities($string, HTML_ENTITIES);
   
$string = preg_split("//", $string, -1, PREG_SPLIT_NO_EMPTY);
   
$ord = 0;
    for (
$i = 0; $i < count($string); $i++ ) {
       
$ord = ord($string[$i]);
        if (
$ord > 127 ) {
           
$string[$i] = '&#' . $ord . ';';
        }
    }
    return
implode('',$string);
}
?>
up
-3
wwb at 3dwargamer dot net
10 years ago
htmlentites is a very handy function, but it fails to fix one thing which I deal with alot: word 'smart' quotes and emdashes.

The below function replaces the funky double quotes with &quot;, funky single quotes with standard single quotes and fixes emdashes.

<?php
   
function CleanupSmartQuotes($text)
    {
       
$badwordchars=array(
                           
chr(145),
                           
chr(146),
                           
chr(147),
                           
chr(148),
                           
chr(151)
                            );
       
$fixedwordchars=array(
                           
"'",
                           
"'",
                           
'&quot;',
                           
'&quot;',
                           
'&mdash;'
                           
);
        return
str_replace($badwordchars,$fixedwordchars,$text);
    }
?>
To Top