What is the difference between htmlspecialchars() and htmlentities()?

Asked

Viewed 5,686 times

12

I once had to use htmlentities() to solve a certain encoding situation (words with accents were not with characters) and saw that there was this htmlspecialchars().

In Php.net, I saw the following settings:

htmlentities -> Converts all applicable characters into entities html

htmlspecialchars -> Converts special characters to reality HTML

Which gave me the impression that there’s no difference between the two. But I believe I may be mistaken, because the use of parameters of one function may differ from the other.

Are they the same thing? If they are not, in which case one and the other?

php

  • See related English: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars

  • What would be an html reality? an html tag only dimension?

  • Tbm didn’t quite understand the definition :(

  • @Dichrist even read mine reply?

  • I just read. In this case she answers my question more satisfactorily.

2 answers

13


It’s not just with the <, > and &, htmlentities is much more than that

htmlspecialchars

Description

string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] )

It will convert characters to entities that affect HTML, with the following conversions:

  • & will become &amp;
  • > will become &lt;
  • < will become &gt;
  • " will become &quot; (except when ENT_NOQUOTES is defined in $flags)
  • ' will become &amp;, converts to &#039; when $flags has ENT_HTML401 or &apos; when ENT_XML1, ENT_XHTML or ENT_HTML5, but only when defined $flags with ENT_QUOTES

htmlentities

Description

string htmlentities ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] )

The behavior is identical to htmlspecialchars by default to &, >, <, " and ' specifically, that is in no way changes (for this reason I disagree with the other reply), what htmlentities differs is that in addition to the cited characters, it will convert all characters that have representation in HTML entities, follows lists of characters (probably complete):

A simple example of difference are accents:

<?php

echo htmlspecialchars('<foo><bar>Olá Mundo!</bar></foo>'), "\n";

echo htmlentities('<foo><bar>Olá Mundo!</bar></foo>'), "\n";

The result will be this:

 &lt;foo&gt;&lt;bar&gt;Olá Mundo!&lt;/bar&gt;&lt;/foo&gt;
 &lt;foo&gt;&lt;bar&gt;Ol&aacute; Mundo!&lt;/bar&gt;&lt;/foo&gt;

Example in IDEONE

Note also that the behavior of both functions can be adjusted by flags:

  • ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_XML1, ENT_XHTML and ENT_HTML5

In other words, this reinforces that what differs in both functions are not the characters < > & quoted in the other reply:

They do the same thing except for a few characters " < > & "

Behaviours

Other behaviors may vary according to these $flags which I have already quoted, and can also change with the use of the $encoding and $double_encode, however these are specific settings as required.

5

They do the same thing except for a few characters " < > & "

CASE 1:

$html = "onclick='location:/?page=1&cat=3'"

echo htmlspecialchars($html);

result: onclick='location:/?page=1&cat=3'

CASE 2

$html = "onclick='location:/?page=1&cat=3'"

echo htmlentities($html);

result: onclick='location:/?page=1&#38;cat=3'

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.