htmlentities() vs. htmlspecialchars()

Question

What are the differences between htmlspecialchars() and htmlentities(). When should I use one or the other?

Answer 1

htmlspecialchars may be used:

1. When there is no need to encode all characters which have their HTML equivalents.

   If you know that the page encoding match the text special symbols, why would you use htmlentities? htmlspecialchars is much straightforward, and produce less code to send to the client.

   For example:

   echo htmlentities('<Il était une fois un être>.');
   // Output: &lt;Il &eacute;tait une fois un &ecirc;tre&gt;.
   //                ^^^^^^^^                 ^^^^^^^
   
   echo htmlspecialchars('<Il était une fois un être>.');
   // Output: &lt;Il était une fois un être&gt;.
   //                ^                 ^
   

   The second one is shorter, and does not cause any problems if ISO-8859-1 charset is set.

2. When the data will be processed not only through a browser (to avoid decoding HTML entities),

3. If the output is XML (see the answer by Artefacto).

Answer 2

htmlspecialchars () does the minimum amount of encoding to ensure that your string is not parsed as HTML. This leaves your string more human-readable than it would be if you used htmlentities () to encode absolutely everything that has an encoding.

Answer 3

I just found out about the get_html_translation_table function. You pass it HTML_ENTITIES or HTML_SPECIALCHARS and it returns an array with the characters that will be encoded and how they will be encoded.

Answer 4

This is being encoded with htmlentities.

implode( "\t", array_values( get_html_translation_table( HTML_ENTITIES ) ) ):

" & < >
¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ Œ œ Š š Ÿ ƒ ˆ ˜ Α Β Γ Δ Ε Ζ Η Θ Ι Κ Λ Μ Ν Ξ Ο Π Ρ Σ Τ Υ Φ Χ Ψ Ω α β γ δ ε ζ η θ ι κ λ μ ν ξ ο π ρ ς σ τ υ φ χ ψ ω ϑ ϒ ϖ       ‌ ‍ ‎ ‏ – — ‘ ’ ‚ “ ” „ † ‡ • … ‰ ′ ″ ‹ › ‾ ⁄ € ℑ ℘ ℜ ™ ℵ ← ↑ → ↓ ↔ ↵ ⇐ ⇑ ⇒ ⇓ ⇔ ∀ ∂ ∃ ∅ ∇ ∈ ∉ ∋ ∏ ∑ − ∗ √ ∝ ∞ ∠ ∧ ∨ ∩ ∪ ∫ ∴ ∼ ≅ ≈ ≠ ≡ ≤ ≥ ⊂ ⊃ ⊄ ⊆ ⊇ ⊕ ⊗ ⊥ ⋅ ⌈ ⌉ ⌊ ⌋ ⟨ ⟩ ◊ ♠ ♣ ♥ ♦

This is being encoded with htmlspecialchars.

implode( "\t", array_values( get_html_translation_table( HTML_SPECIALCHARS ) ) ):

" & < >

Answer 5

htmlentities — Convert all applicable characters to HTML entities.

htmlspecialchars — Convert special characters to HTML entities.

The translations performed translation characters on the below:

• '&' (ampersand) becomes '&amp;'
• '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set.
• "'" (single quote) becomes '&#039;' (or ') only when ENT_QUOTES is set.
• '<' (less than) becomes '&lt;'
• '>' (greater than) becomes '&gt;'

You can check the following code for more information about what's htmlentities and htmlspecialchars:

https://gist.github.com/joko-wandiro/f5c935708d9c37d8940b

Answer 6

You probably want to use some Unicode character encoding, for example UTF-8, and htmlspecialchars. Because there isn't any need to generate "HTML entities" for "all [the] applicable characters" (that is what htmlentities does according to the documentation) if it's already in your character set.