(PHP 4, PHP 5)
htmlspecialchars — Convert special characters to HTML entities
$string
   [, int $flags = ENT_COMPAT | ENT_HTML401
   [, string $encoding = ini_get("default_charset")
   [, bool $double_encode = true
  ]]] )Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. If you require all input substrings that have associated named entities to be translated, use htmlentities() instead.
If the input string passed to this function and the final document share the same character set, this function is sufficient to prepare input for inclusion in most contexts of an HTML document. If, however, the input can represent characters that are not coded in the final document character set and you wish to retain those characters (as numeric or named entities), both this function and htmlentities() (which only encodes substrings that have named entity equivalents) may be insufficient. You may have to use mb_encode_numericentity() instead.
The translations performed are:
ENT_NOQUOTES
      is not set.
     
    ENT_QUOTES is set.
     
    
stringThe string being converted.
flagsA bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type. The default is ENT_COMPAT | ENT_HTML401.
| Constant Name | Description | 
|---|---|
| ENT_COMPAT | Will convert double-quotes and leave single-quotes alone. | 
| ENT_QUOTES | Will convert both double and single quotes. | 
| ENT_NOQUOTES | Will leave both double and single quotes unconverted. | 
| ENT_IGNORE | Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications. | 
| ENT_SUBSTITUTE | Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of returning an empty string. | 
| ENT_DISALLOWED | Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content. | 
| ENT_HTML401 | Handle code as HTML 4.01. | 
| ENT_XML1 | Handle code as XML 1. | 
| ENT_XHTML | Handle code as XHTML. | 
| ENT_HTML5 | Handle code as HTML 5. | 
encodingAn optional argument defining the encoding used when converting characters.
  If omitted, the default value of the encoding varies
  depending on the PHP version in use. In PHP 5.6 and later, the
  default_charset configuration
  option is used as the default value. PHP 5.4 and 5.5 will use
  UTF-8 as the default. Earlier versions of PHP use
  ISO-8859-1.
 
Although this argument is technically optional, you are highly encouraged to specify the correct value for your code if you are using PHP 5.5 or earlier, or if your default_charset configuration option may be set incorrectly for the given input.
       For the purposes of this function, the encodings
       ISO-8859-1, ISO-8859-15,
       UTF-8, cp866,
       cp1251, cp1252, and
       KOI8-R are effectively equivalent, provided the
       string itself is valid for the encoding, as
       the characters affected by htmlspecialchars() occupy
       the same positions in all of these encodings.
      
The following character sets are supported:
| Charset | Aliases | Description | 
|---|---|---|
| ISO-8859-1 | ISO8859-1 | Western European, Latin-1. | 
| ISO-8859-5 | ISO8859-5 | Little used cyrillic charset (Latin/Cyrillic). | 
| ISO-8859-15 | ISO8859-15 | Western European, Latin-9. Adds the Euro sign, French and Finnish letters missing in Latin-1 (ISO-8859-1). | 
| UTF-8 | ASCII compatible multi-byte 8-bit Unicode. | |
| cp866 | ibm866, 866 | DOS-specific Cyrillic charset. | 
| cp1251 | Windows-1251, win-1251, 1251 | Windows-specific Cyrillic charset. | 
| cp1252 | Windows-1252, 1252 | Windows specific charset for Western European. | 
| KOI8-R | koi8-ru, koi8r | Russian. | 
| BIG5 | 950 | Traditional Chinese, mainly used in Taiwan. | 
| GB2312 | 936 | Simplified Chinese, national standard character set. | 
| BIG5-HKSCS | Big5 with Hong Kong extensions, Traditional Chinese. | |
| Shift_JIS | SJIS, SJIS-win, cp932, 932 | Japanese | 
| EUC-JP | EUCJP, eucJP-win | Japanese | 
| MacRoman | Charset that was used by Mac OS. | |
| '' | An empty string activates detection from script encoding (Zend multibyte), default_charset and current locale (see nl_langinfo() and setlocale()), in this order. Not recommended. | 
Note: Any other character sets are not recognized. The default encoding will be used instead and a warning will be emitted.
double_encode
       When double_encode is turned off PHP will not
       encode existing html entities, the default is to convert everything.
      
The converted string.
   If the input string contains an invalid code unit
   sequence within the given encoding an empty string
   will be returned, unless either the ENT_IGNORE or
   ENT_SUBSTITUTE flags are set.
  
| Version | Description | 
|---|---|
| 5.6.0 | The default value for the encodingparameter was
   changed to be the value of the
   default_charset configuration
   option. | 
| 5.4.0 | The default value for the encodingparameter was
        changed to UTF-8. | 
| 5.4.0 | The constants ENT_SUBSTITUTE,ENT_DISALLOWED,ENT_HTML401,ENT_XML1,ENT_XHTMLandENT_HTML5were added. | 
| 5.3.0 | The constant ENT_IGNOREwas added. | 
| 5.2.3 | The double_encodeparameter was added. | 
Example #1 htmlspecialchars() example
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
Note:
Note that this function does not translate anything beyond what is listed above. For full entity translation, see htmlentities().