字符串函数
在线手册:中文 英文
PHP手册

htmlentities

(PHP 4, PHP 5)

htmlentitiesConvert all applicable characters to HTML entities

说明

string htmlentities ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = 'UTF-8' [, bool $double_encode = true ]]] )

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

If you want to decode instead (the reverse) you can use html_entity_decode().

参数

string

The input string.

flags

A bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type. The default is ENT_COMPAT | ENT_HTML401.

Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
ENT_HTML5 Handle code as HTML 5.

encoding

Like htmlspecialchars(), htmlentities() takes an optional third argument encoding which defines encoding used in conversion. If omitted, the default value for this argument is ISO-8859-1 in versions of PHP prior to 5.4.0, and UTF-8 from PHP 5.4.0 onwards. Although this argument is technically optional, you are highly encouraged to specify the correct value for your code.

以下字符集设置从 PHP 4.3.0 版本开始被支持。

支持的字符集列表
字符集 别名 描述
ISO-8859-1 ISO8859-1 西欧,Latin-1
ISO-8859-15 ISO8859-15 西欧,Latin-9。增加欧元符号,法语和芬兰语字母在 Latin-1(ISO-8859-1) 中缺失。
UTF-8   ASCII 兼容的多字节 8 位 Unicode。
cp866 ibm866, 866 DOS 特有的西里尔编码。本字符集在 4.3.2 版本中得到支持。
cp1251 Windows-1251, win-1251, 1251 Windows 特有的西里尔编码。本字符集在 4.3.2 版本中得到支持。
cp1252 Windows-1252, 1252 Windows 特有的西欧编码。
KOI8-R koi8-ru, koi8r 俄语。本字符集在 4.3.2 版本中得到支持。
BIG5 950 繁体中文,主要用于中国台湾省。
GB2312 936 简体中文,中国国家标准字符集。
BIG5-HKSCS   繁体中文,附带香港扩展的 Big5 字符集。
Shift_JIS SJIS, 932 日语
EUC-JP EUCJP 日语

Note: 其他字符集没有认可。可以使用 ISO-8859-1 来替代。

double_encode

When double_encode is turned off PHP will not encode existing html entities. The default is to convert everything.

返回值

Returns the encoded string.

If the input string contains an invalid code unit sequence within the given encoding an empty string will be returned, unless either the ENT_IGNORE or ENT_SUBSTITUTE flags are set.

更新日志

版本 说明
5.4.0 The default value for the encoding parameter was changed to UTF-8.
5.4.0 The constants ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_XML1, ENT_XHTML and ENT_HTML5 were added.
5.3.0 The constant ENT_IGNORE was added.
5.2.3 The double_encode parameter was added.
4.1.0 The encoding parameter was added.
4.0.3 The flags parameter was added.

范例

Example #1 A htmlentities() example

<?php
$str 
"A 'quote' is <b>bold</b>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

// Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($strENT_QUOTES);
?>

Example #2 Usage of ENT_IGNORE

<?php
$str 
"\x8F!!!";

// Outputs an empty string
echo htmlentities($strENT_QUOTES"UTF-8");

// Outputs "!!!"
echo htmlentities($strENT_QUOTES ENT_IGNORE"UTF-8");
?>

参见


字符串函数
在线手册:中文 英文
PHP手册
PHP手册 - N: Convert all applicable characters to HTML entities

用户评论:

ustimenko dot alexander at gmail dot com (09-Apr-2012 10:15)

For those Spanish (and not only) folks, that want their national letters back after htmlentities :)

<?php
protected function _decodeAccented($encodedValue, $options = array()) {
   
$options += array(
       
'quote'     => ENT_NOQUOTES,
       
'encoding'  => 'UTF-8',
    );
    return
preg_replace_callback(
       
'/&\w(acute|uml|tilde);/',
       
create_function(
           
'$m',
           
'return html_entity_decode($m[0], ' . $options['quote'] . ', "' .
           
$options['encoding'] . '");'
       
),
       
$encodedValue
   
);
}
?>

n at erui dot eu (30-Mar-2012 05:47)

edit on 'superentities' function below...
It has a blind-spot for backslashes, but is quite fast. 10x faster than encoding all to numeric entities, then html_decode()-ing them into latin1, then recoding in UTF-8 (same result).
Also, possibly doing bit-wise comparisons might be better than if(ord)

n at erui dot eu (20-Mar-2012 08:46)

html entities does not encode all unicode characters. It encodes what it can [all of latin1], and the others slip through. &#1033; is the nasty I use. I have searched for a function which encodes everything, but in the end I wrote this. This is as simple as I can get it. Consult an ansii table to custom include/omit chars you want/don't. I'm sure it's not that fast.

// Unicode-proof htmlentities.
// Returns 'normal' chars as chars and weirdos as numeric html entites.
function superentities( $str ){
    // get rid of existing entities else double-escape
    $str = html_entity_decode(stripslashes($str),ENT_QUOTES,'UTF-8');
    $ar = preg_split('/(?<!^)(?!$)/u', $str );  // return array of every multi-byte character
    foreach ($ar as $c){
        $o = ord($c);
        if ( (strlen($c) > 1) || /* multi-byte [unicode] */
            ($o <32 || $o > 126) || /* <- control / latin weirdos -> */
            ($o >33 && $o < 40) ||/* quotes + ambersand */
            ($o >59 && $o < 63) /* html */
        ) {
            // convert to numeric entity
            $c = mb_encode_numericentity($c,array (0x0, 0xffff, 0, 0xffff), 'UTF-8');
        }
        $str2 .= $c;
    }
    return $str2;
}

Anonymous (23-Feb-2012 07:45)

@robin;

Use it with "ENT_IGNORE" in order to not lose your data.

// ""
echo htmlentities('?hello', null, 'utf-8');

// hello
echo htmlentities('?hello', ENT_IGNORE, 'utf-8');

wd at NOSPAMwd dot it (19-Dec-2011 10:20)

Hi there,

after several and several tests, I figured out that dot:

- htmlentities() function remove characters like "à","è",etc when you specify a flag and a charset

- htmlentities() function DOES NOT remove characters like those above when you DO NOT specify anything

So, let's assume that..

<?php

$str
= "Hèèèllooo";

$res_1 = htmlentities($str, ENT_QUOTES, "UTF-8");
$res_2 = htmlentities($str);

echo
var_dump($res_1); // Result: string '' (length=0)
echo var_dump($res_2); // string 'H&egrave;&egrave;&egrave;llooo' (length=30)

?>

I used this for a textarea content for comments. Anyway, note that using the "$res_2" form the function will leave unconverted single/double quotes. At this point you should use str_replace() function to perform the characters but be careful because..

<?php

$str
= "'Hèèèllooo'";

$res_2 = str_replace("'","&#039;",$str);
$res_2 = htmlentities($str);
echo
var_dump($res_2); // string '&amp;#039;H&egrave;&egrave;&egrave;llooo&amp;#039;'

$res_3 = htmlentities($str);
$res_3 = str_replace("'","&#039;",$res_3);
echo
var_dump($res_3); // string '&#039;H&egrave;&egrave;&egrave;llooo&#039;' --> Nice
?>

Hope it will helps you.

Regards,
W.D.

steve at mcdragonsoftware dot com (17-Nov-2011 04:59)

I'm glad 5.4 has xml support, but many of us are working with older installations, some of us still have to use PHP4. If you're like me you've been frustrated with trying to use htmlentites/htmlspecial chars with xml output. I was hoping to find an option to force numeric encoding, lacking that, I have written my own xmlencode function, which I now offer:

usage:

$string xmlencode( $string )

it will use htmlspecialchars for the valid xml entities amp, quote, lt, gt, (apos) and return the numeric entity for all other non alpha-numeric characters.

-------------------------------------------

<?php
if( !function_exists( 'xmlentities' ) ) {
    function
xmlentities( $string ) {
       
$not_in_list = "A-Z0-9a-z\s_-";
        return
preg_replace_callback( "/[^{$not_in_list}]/" , 'get_xml_entity_at_index_0' , $string );
    }
    function
get_xml_entity_at_index_0( $CHAR ) {
        if( !
is_string( $CHAR[0] ) || ( strlen( $CHAR[0] ) > 1 ) ) {
            die(
"function: 'get_xml_entity_at_index_0' requires data type: 'char' (single character). '{$CHAR[0]}' does not match this type." );
        }
        switch(
$CHAR[0] ) {
            case
"'":    case '"':    case '&':    case '<':    case '>':
                return
htmlspecialchars( $CHAR[0], ENT_QUOTES );    break;
            default:
                return
numeric_entity_4_char($CHAR[0]);                break;
        }       
    }
    function
numeric_entity_4_char( $char ) {
        return
"&#".str_pad(ord($char), 3, '0', STR_PAD_LEFT).";";
    }   
}
?>

Waygood (06-Jun-2011 10:09)

When putting values inside comment tags <!-- --> you should replace -- with &#45;&#45; too, as this would end your tag and show the rest of the comment.

robin at robinwinslow dot co dot uk (15-Apr-2011 04:14)

htmlentities seems to have changed at some point between version 5.1.6 and 5.3.3, such that it now returns an empty string for anything containing a pound sign:

$ php -v
PHP 5.1.6 (cli) (built: May 22 2008 09:08:44)
$ php -r "echo htmlentities('?hello', null, 'utf-8');"
&pound;hello
$

$ php -v
PHP 5.3.3 (cli) (built: Aug 19 2010 12:07:49)
$ php -r "echo htmlentities('?hello', null, 'utf-8');"
$

(Returns an empty string the second time)

Just a heads up.

markus at senoner dot com (15-Apr-2011 03:27)

Pay attention, that htmlentities() does not recognise all Unicode-Symbols.  For example the bullet "?" (&bull; or &#8226;) will not be converted to a html-entity.

admin at wapforum dot rs (24-Feb-2011 09:11)

A useful little function to convert the symbols in the different inputs.
<?php
function ConvertSimbols($var, $ConvertQuotes = 0) {
if (
$ConvertQuotes > 0) {
$var = htmlentities($var, ENT_NOQUOTES, 'UTF-8');
$var = str_replace('\"', '', $var);
$var = str_replace("\'", '', $var);
} else {
$var = htmlentities($var, ENT_QUOTES, 'UTF-8');
}
return
$var;
}
?>

Usage with quotes for example message:

$message = ConvertSimbols($message);

Usage without quotes for example link:

$link = ConvertSimbols($link, 1);

kindrosker at gmail dot com (10-Feb-2011 01:31)

All Codes list

array('?'=>'&Agrave;', 'à'=>'&agrave;', '?'=>'&Aacute;', 'á'=>'&aacute;', '?'=>'&Acirc;', '?'=>'&acirc;', '?'=>'&Atilde;', '?'=>'&atilde;', '?'=>'&Auml;', '?'=>'&auml;', '?'=>'&Aring;', '?'=>'&aring;', '?'=>'&AElig;', '?'=>'&aelig;', '?'=>'&Ccedil;', '?'=>'&ccedil;', '?'=>'&ETH;', '?'=>'&eth;', '?'=>'&Egrave;', 'è'=>'&egrave;', '?'=>'&Eacute;', 'é'=>'&eacute;', '?'=>'&Ecirc;', 'ê'=>'&ecirc;', '?'=>'&Euml;', '?'=>'&euml;', '?'=>'&Igrave;', 'ì'=>'&igrave;', '?'=>'&Iacute;', 'í'=>'&iacute;', '?'=>'&Icirc;', '?'=>'&icirc;', '?'=>'&Iuml;', '?'=>'&iuml;', '?'=>'&Ntilde;', '?'=>'&ntilde;', '?'=>'&Ograve;', 'ò'=>'&ograve;', '?'=>'&Oacute;', 'ó'=>'&oacute;', '?'=>'&Ocirc;', '?'=>'&ocirc;', '?'=>'&Otilde;', '?'=>'&otilde;', '?'=>'&Ouml;', '?'=>'&ouml;', '?'=>'&Oslash;', '?'=>'&oslash;', '?'=>'&OElig;', '?'=>'&oelig;', '?'=>'&szlig;', '?'=>'&THORN;', '?'=>'&thorn;', '?'=>'&Ugrave;', 'ù'=>'&ugrave;', '?'=>'&Uacute;', 'ú'=>'&uacute;', '?'=>'&Ucirc;', '?'=>'&ucirc;', '?'=>'&Uuml;', 'ü'=>'&uuml;', '?'=>'&Yacute;', '?'=>'&yacute;', '?'=>'&Yuml;', '?'=>'&yuml;');

galert420 at gmail dot com (05-Nov-2010 06:24)

Croatian entites

<?php
$ent
= array(
   
'?'=>'&#262;',
   
'?'=>'&#263;',
   
'?'=>'&#268;',
   
'?'=>'&#269;',
   
'?'=>'&#272',
   
'?'=>'&#273',
   
'?'=>'&#352',
   
'?'=>'&#353',
   
'?'=>'&#381',
   
'?'=>'&#382'
);

echo
strtr('??????????', $ent);
?>

php dot net at softmoon-webware dot com (12-Oct-2010 10:32)

<?php
$HTML_ENTS
=array("quot", "amp", "apos", "lt", "gt", "nbsp", "iexcl", "cent",
"pound","curren", "yen", "brvbar", "sect", "uml", "copy", "ordf", "laquo",
"not", "shy", "reg", "macr", "deg", "plusmn", "sup2", "sup3", "acute",
"micro", "para", "middot", "cedil", "sup1", "ordm", "raquo", "frac14",
"frac12", "frac34", "iquest", "Agrave", "Aacute", "Acirc", "Atilde", "Auml",
"Aring", "AElig", "Ccedil", "Egrave", "Eacute", "Ecirc", "Euml", "Igrave",
"Iacute", "Icirc", "Iuml", "ETH", "Ntilde", "Ograve", "Oacute", "Ocirc",
"Otilde", "Ouml", "times", "Oslash", "Ugrave", "Uacute", "Ucirc", "Uuml",
"Yacute", "THORN", "szlig", "agrave", "aacute", "acirc", "atilde", "auml",
"aring", "aelig", "ccedil", "egrave", "eacute", "ecirc", "euml", "igrave",
"iacute", "icirc", "iuml", "eth", "ntilde", "ograve", "oacute", "ocirc",
"otilde", "ouml", "divide", "oslash", "ugrave", "uacute", "ucirc", "uuml",
"yacute", "thorn", "yuml", "OElig", "oelig", "Scaron", "scaron", "Yuml",
"fnof", "circ", "tilde", "Alpha", "Beta", "Gamma", "Delta", "Epsilon",
"Zeta", "Eta", "Theta", "Iota", "Kappa", "Lambda", "Mu", "Nu", "Xi",
"Omicron", "Pi", "Rho", "Sigma", "Tau", "Upsilon", "Phi", "Chi", "Psi",
"Omega", "alpha", "beta", "gamma", "delta", "epsilon", "zeta", "eta",
"theta", "iota", "kappa", "lambda", "mu", "nu", "xi", "omicron", "pi",
"rho", "sigmaf", "sigma", "tau", "upsilon", "phi", "chi", "psi", "omega",
"thetasym", "upsih", "piv", "ensp", "emsp", "thinsp", "zwnj", "zwj", "lrm",
"rlm", "ndash", "mdash", "lsquo", "rsquo", "sbquo", "ldquo", "rdquo",
"bdquo", "dagger", "Dagger", "bull", "hellip", "permil", "prime", "Prime",
"lsaquo", "rsaquo", "oline", "frasl", "euro", "image", "weierp", "real",
"trade", "alefsym", "larr", "uarr", "rarr", "darr", "harr", "crarr", "lArr",
"uArr", "rArr", "dArr", "hArr", "forall", "part", "exist", "empty", "nabla",
"isin", "notin", "ni", "prod", "sum", "minus", "lowast", "radic", "prop",
"infin", "ang", "and", "or", "cap", "cup", "int", "there4", "sim", "cong",
"asymp", "ne", "equiv", "le", "ge", "sub", "sup", "nsub", "sube", "supe",
"oplus", "otimes", "perp", "sdot", "lceil", "rceil", "lfloor",
"rfloor", "lang", "rang", "loz", "spades", "clubs", "hearts", "diams");

// The selection of tags below is optimized for use with a webmaster's database,
// --NOT-- to process user POSTs from the World Wide Web
//  for inclusion on a public page.

//  NOT included:
//   form,  input,  select,  option,  label,  optgroup,  textarea,  area,  map,
//   html,  head,  style,  link,  meta,  base,  body,  isindex,
//   frame,  frameset,  noframes
//  (include those above at your wish,  remove those below at your wish)
$HTML_TAGS=array("a", "abbr", "acronym", "address", "applet", "b", "basefont",
"bdo", "big", "blockquote", "br", "button", "caption", "center", "cite",
"code", "col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt", "em",
"embed", "fieldset", "font", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i",
"iframe", "img", "ins", "kbd", "legend", "li", "menu", "noembed", "noscript",
"object", "ol", "p", "param", "pre", "q", "s", "samp", "script", "small",
"span", "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot",
"th", "thead", "title", "tr", "tt", "u", "ul", "var");

$Xchars = array(
 
128 => '&#8364;',
 
130 => '&#8218;',
 
131 => '&#402;',
 
132 => '&#8222;',
 
133 => '&#8230;',
 
134 => '&#8224;',
 
135 => '&#8225;',
 
136 => '&#710;',
 
137 => '&#8240;',
 
138 => '&#352;',
 
139 => '&#8249;',
 
140 => '&#338;',
 
142 => '&#381;',
 
145 => '&#8216;',
 
146 => '&#8217;',
 
147 => '&#8220;',
 
148 => '&#8221;',
 
149 => '&#8226;',
 
150 => '&#8211;',
 
151 => '&#8212;',
 
152 => '&#732;',
 
153 => '&#8482;',
 
154 => '&#353;',
 
155 => '&#8250;',
 
156 => '&#339;',
 
158 => '&#382;',
 
159 => '&#376;');
?>

drallen at cs dot uwaterloo dot ca (30-Sep-2010 12:11)

A pointer to http://www.php.net/manual/en/function.mb-convert-encoding.php if your intention is to translate *all* characters in a charset to their corresponding HTML entities, not just named characters. Non-named characters will be replaced with HTML numeric encoding. eg:

$text = mb_convert_encoding($text, 'HTML-ENTITIES', "UTF-8");

h_guillaume at hotmail dot com (17-Sep-2010 09:14)

I use this function to encode all the xml entities and also all the &something; that are not defined in xml like &trade;
You can also decode what you encode with my decode function.
My function works a little like the htmlentities.
You can also add other string to the array if you want to exclude them from the encoding.

<?php
function xml_entity_decode($text, $charset = 'Windows-1252'){
   
// Double decode, so if the value was &amp;trade; it will become Trademark
   
$text = html_entity_decode($text, ENT_COMPAT, $charset);
   
$text = html_entity_decode($text, ENT_COMPAT, $charset);
    return
$text;
}

function
xml_entities($text, $charset = 'Windows-1252'){
    
// Debug and Test
    // $text = "test &amp; &trade; &amp;trade; abc &reg; &amp;reg; &#45;";
   
    // First we encode html characters that are also invalid in xml
   
$text = htmlentities($text, ENT_COMPAT, $charset, false);
   
   
// XML character entity array from Wiki
    // Note: &apos; is useless in UTF-8 or in UTF-16
   
$arr_xml_special_char = array("&quot;","&amp;","&apos;","&lt;","&gt;");
   
   
// Building the regex string to exclude all strings with xml special char
   
$arr_xml_special_char_regex = "(?";
    foreach(
$arr_xml_special_char as $key => $value){
       
$arr_xml_special_char_regex .= "(?!$value)";
    }
   
$arr_xml_special_char_regex .= ")";
   
   
// Scan the array for &something_not_xml; syntax
   
$pattern = "/$arr_xml_special_char_regex&([a-zA-Z0-9]+;)/";
   
   
// Replace the &something_not_xml; with &amp;something_not_xml;
   
$replacement = '&amp;${1}';
    return
preg_replace($pattern, $replacement, $text);
}
?>

Sijmen Ruwhof (13-Sep-2010 08:18)

An important note below about using this function to secure your application against Cross Site Scripting (XSS) vulnerabilities.

When printing user input in an attribute of an HTML tag, the default configuration of htmlEntities() doesn't protect you against XSS, when using single quotes to define the border of the tag's attribute-value. XSS is then possible by injecting a single quote:

<?php
$_GET
['a'] = "#000' onload='alert(document.cookie)";
?>

XSS possible (insecure):

<?php
$href
= htmlEntities($_GET['a']);
print
"<body bgcolor='$href'>"; # results in: <body bgcolor='#000' onload='alert(document.cookie)'>
?>

Use the 'ENT_QUOTES' quote style option, to ensure no XSS is possible and your application is secure:

<?php
$href
= htmlEntities($_GET['a'], ENT_QUOTES);
print
"<body bgcolor='$href'>"; # results in: <body bgcolor='#000&#039; onload=&#039;alert(document.cookie)'>
?>

The 'ENT_QUOTES' option doesn't protect you against javascript evaluation in certain tag's attributes, like the 'href' attribute of the 'a' tag. When clicked on the link below, the given JavaScript will get executed:

<?php
$_GET
['a'] = 'javascript:alert(document.cookie)';
$href = htmlEntities($_GET['a'], ENT_QUOTES);
print
"<a href='$href'>link</a>"; # results in: <a href='javascript:alert(document.cookie)'>link</a>
?>

Wired (14-May-2010 01:22)

I needed a simple little function to take a string and convert extended ascii characters into html entities. I couldn't find a function for this so I whipped one up.

<?php
/* Convert Extended ASCII Characters to HTML Entities */
function ascii2entities($string){
    for(
$i=128;$i<=255;$i++){
       
$entity = htmlentities(chr($i), ENT_QUOTES, 'cp1252');
       
$temp = substr($entity, 0, 1);
       
$temp .= substr($entity, -1, 1);
        if (
$temp != '&;'){
           
$string = str_replace(chr($i), '', $string);
        }
        else{
           
$string = str_replace(chr($i), $entity, $string);
        }
    }
    return
$string;
}

echo
ascii2entities("?");
?>

phil at lavin dot me dot uk (08-Apr-2010 04:34)

The following will make a string completely safe for XML:

<?php
function philsXMLClean($strin) {
       
$strout = null;

        for (
$i = 0; $i < strlen($strin); $i++) {
               
$ord = ord($strin[$i]);

                if ((
$ord > 0 && $ord < 32) || ($ord >= 127)) {
                       
$strout .= "&amp;#{$ord};";
                }
                else {
                        switch (
$strin[$i]) {
                                case
'<':
                                       
$strout .= '&lt;';
                                        break;
                                case
'>':
                                       
$strout .= '&gt;';
                                        break;
                                case
'&':
                                       
$strout .= '&amp;';
                                        break;
                                case
'"':
                                       
$strout .= '&quot;';
                                        break;
                                default:
                                       
$strout .= $strin[$i];
                        }
                }
        }

        return
$strout;
}
?>

silverbeat -eat- gmx -hot- at (09-Mar-2010 08:42)

When using UTF-8 as a charset, htmlentities will only convert 1-byte and 2-byte characters. Use this function if you also want to convert 3-byte and 4-byte characters:

<?php

// converts a UTF8-string into HTML entities
//  - $utf8:        the UTF8-string to convert
//  - $encodeTags:  booloean. TRUE will convert "<" to "&lt;"
//  - return:       returns the converted HTML-string
function utf8tohtml($utf8, $encodeTags) {
   
$result = '';
    for (
$i = 0; $i < strlen($utf8); $i++) {
       
$char = $utf8[$i];
       
$ascii = ord($char);
        if (
$ascii < 128) {
           
// one-byte character
           
$result .= ($encodeTags) ? htmlentities($char) : $char;
        } else if (
$ascii < 192) {
           
// non-utf8 character or not a start byte
       
} else if ($ascii < 224) {
           
// two-byte character
           
$result .= htmlentities(substr($utf8, $i, 2), ENT_QUOTES, 'UTF-8');
           
$i++;
        } else if (
$ascii < 240) {
           
// three-byte character
           
$ascii1 = ord($utf8[$i+1]);
           
$ascii2 = ord($utf8[$i+2]);
           
$unicode = (15 & $ascii) * 4096 +
                       (
63 & $ascii1) * 64 +
                       (
63 & $ascii2);
           
$result .= "&#$unicode;";
           
$i += 2;
        } else if (
$ascii < 248) {
           
// four-byte character
           
$ascii1 = ord($utf8[$i+1]);
           
$ascii2 = ord($utf8[$i+2]);
           
$ascii3 = ord($utf8[$i+3]);
           
$unicode = (15 & $ascii) * 262144 +
                       (
63 & $ascii1) * 4096 +
                       (
63 & $ascii2) * 64 +
                       (
63 & $ascii3);
           
$result .= "&#$unicode;";
           
$i += 3;
        }
    }
    return
$result;
}

echo
utf8tohtml($anyUTF8string, TRUE);

?>

regards, silverbeat

sirarthur at sirarthur dot info (05-Oct-2009 09:05)

When happens that you want to encode special characters but not the HTML tags using this function you've two options:

a) Build your own function and go replace by character; eg.

<?php
 
for($i = 0; $i < strlen($string); $i++){
     switch(
substr($string,$i,1)){
       
//..... A VERY HUGE switch here with all characters to encode.
   
}
 }
?>

b) use this function and simple restore the html tags afterwards. Which gives you a 6 line function as follow:

<?php
 
function keephtml($string){
         
$res = htmlentities($string);
         
$res = str_replace("&lt;","<",$res);
         
$res = str_replace("&gt;",">",$res);
         
$res = str_replace("&quot;",'"',$res);
         
$res = str_replace("&amp;",'&',$res);
          return
$res;
}
?>

montana (09-Jul-2009 05:54)

under what circumstances would someone want a ntilde [?] to be converted into "?±" as htmlentities does?
the correct method of translation should return the accurate NCR for the multibyte unicode sequence
which in this case is &#241;

<?php

   
//simple task: convert everything from utf-8 into an NCR[numeric character reference]
   
class unicode_replace_entities {
        public function
UTF8entities($content="") {
           
$contents = $this->unicode_string_to_array($content);
           
$swap = "";
           
$iCount = count($contents);
            for (
$o=0;$o<$iCount;$o++) {
               
$contents[$o] = $this->unicode_entity_replace($contents[$o]);
               
$swap .= $contents[$o];
            }
            return
mb_convert_encoding($swap,"UTF-8"); //not really necessary, but why not.
       
}

        public function
unicode_string_to_array( $string ) { //adjwilli
           
$strlen = mb_strlen($string);
            while (
$strlen) {
               
$array[] = mb_substr( $string, 0, 1, "UTF-8" );
               
$string = mb_substr( $string, 1, $strlen, "UTF-8" );
               
$strlen = mb_strlen( $string );
            }
            return
$array;
        }

        public function
unicode_entity_replace($c) { //m. perez
           
$h = ord($c{0});   
            if (
$h <= 0x7F) {
                return
$c;
            } else if (
$h < 0xC2) {
                return
$c;
            }
           
            if (
$h <= 0xDF) {
               
$h = ($h & 0x1F) << 6 | (ord($c{1}) & 0x3F);
               
$h = "&#" . $h . ";";
                return
$h;
            } else if (
$h <= 0xEF) {
               
$h = ($h & 0x0F) << 12 | (ord($c{1}) & 0x3F) << 6 | (ord($c{2}) & 0x3F);
               
$h = "&#" . $h . ";";
                return
$h;
            } else if (
$h <= 0xF4) {
               
$h = ($h & 0x0F) << 18 | (ord($c{1}) & 0x3F) << 12 | (ord($c{2}) & 0x3F) << 6 | (ord($c{3}) & 0x3F);
               
$h = "&#" . $h . ";";
                return
$h;
            }
        }
    }
//
   
    //utf-8 environment   
   
$content = "<strong>ba?o ba?o ba?o</strong>日本語 = nihongo da ze.<br />";

   
$oUnicodeReplace = new unicode_replace_entities();
   
$content = $oUnicodeReplace->UTF8entities($content);
    echo
"<br />Result:<br />";
    echo
$content;
   
$source = htmlentities($content);
    echo
"<br />htmlentities of resulting data:<br />";
    echo
$source;

    echo
"<br /><br />Note: Entities get replaced with 'literals' in textarea FF3<br /><br />";
    echo
"<textarea style='width:300px;height:150px;'>";
    echo
$content;
    echo
"</textarea>";
   
    echo
"<br /><br />For editing NCR's rather than 'literals' in a textarea<br /><br />";
    echo
"<textarea style='width:300px;height:150px;'>";
    echo
preg_replace("/(&#)+/","&amp;#",$content); 
    echo
"</textarea>";

?>

brianhamner at yahoo dot com (09-Jul-2009 05:26)

If you want something simple that actually works, try this. Strips MS word and other entities and returns a clear data string:

<?php
//call this function

function DoHTMLEntities ($string) {
   
$trans_tbl[chr(145)] = '&#8216;';
   
$trans_tbl[chr(146)] = '&#8217;';
   
$trans_tbl[chr(147)] = '&#8220;';
   
$trans_tbl[chr(148)] = '&#8221;';
   
$trans_tbl[chr(142)] = '&eacute;';
   
$trans_tbl[chr(150)] = '&#8211;';
   
$trans_tbl[chr(151)] = '&#8212;';
    return
strtr ($string, $trans_tbl);
}

//insert your string variable here

       
$foo = str_replace("\r\n\r\n","",htmlentities($your_string));
       
$foo2 = str_replace("\r\n"," ",$foo);
       
$foo3 = str_replace(" & ","&amp;",$foo2);
        echo
DoHTMLEntities ($foo3);
?>

alonso05 at gmail dot com (01-Jul-2009 05:22)

Hello, I found a great function when you need a way to encode content from the database as numeric entity references, as that’s a safe way to use high characters and special characters in an xml document, like in an RSS feed.

<?php
function xml_character_encode($string, $trans='') {
 
$trans = (is_array($trans)) ? $trans : get_html_translation_table(HTML_ENTITIES, ENT_QUOTES);
  foreach (
$trans as $k=>$v)
   
$trans[$k]= "&#".ord($k).";";

  return
strtr($string, $trans);
}
?>

mzvarik at gmail dot com (15-May-2009 01:03)

CZECH entities:

<?php
$ent
= array(
   
'ě' => '&#283;',
   
'?' => '&#282;',
   
'?' => '&#353;',
   
'?' => '&#352;',
   
'?' => '&#269;',
   
'?' => '&#268;',
   
'?' => '&#345;',
   
'?' => '&#344;',
   
'?' => '&#382;',
   
'?' => '&#381;',
   
'?' => '&#253;',
   
'?' => '&#221;',
   
'á' => '&#225;',
   
'?' => '&#193;',
   
'í' => '&#237;',
   
'?' => '&#205;',
   
'é' => '&#233;',
   
'?' => '&#201;',
   
'ú' => '&#250;',
   
'?' => '&#367;',
   
'?' => '&#366;',
   
'?' => '&#271;',
   
'?' => '&#270;',
   
'?' => '&#357;',
   
'?' => '&#356;',
   
'ň' => '&#328;',
   
'?' => '&#327;'
);

echo
strtr('ě?????áíéú???ň??????????????', $ent);
?>

busbyjon at gmail dot com (07-Apr-2009 09:49)

I took one of the previous functions above - (which only encodes the string once - which is great) and added the ability to encode & -> &amp;

See below.

Its a shame we cant do this straight with htmlentities (with double encode set to false)

<?php
function htmlButTags($str) {
       
// Take all the html entities
       
$caracteres = get_html_translation_table(HTML_ENTITIES);
       
// Find out the "tags" entities
       
$remover = get_html_translation_table(HTML_SPECIALCHARS);
       
// Spit out the tags entities from the original table
       
$caracteres = array_diff($caracteres, $remover);
       
// Translate the string....
       
$str = strtr($str, $caracteres);
       
// And that's it!
        // oo now amps
       
$str = preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&amp;" , $str);
       
        return
$str;
    }
?>

gunter [dot] sammet [at] gmail [dot] com (13-Jan-2009 06:48)

Had a heck of a time to get my rss entities right. using htmlentities didn't work and using html_entity_decode didn't work either. Ended up writing a custom function to encode and decode. It might still need some work but I thought to share it because I couldn't find anything on the net. Always open for suggestions to improve it! Here it is:

<?php
  $entity_custom_from
= false;
 
$entity_custom_to = false;
  function
html_entity_decode_encode_rss($data) {
    global
$entity_custom_from, $entity_custom_to;
    if(!
is_array($entity_custom_from) || !is_array($entity_custom_to)){
     
$array_position = 0;
      foreach (
get_html_translation_table(HTML_ENTITIES) as $key => $value) {
       
//print("<br />key: $key, value: $value <br />\n");
       
switch ($value) {
         
// These ones we can skip
         
case '&nbsp;':
            break;
          case
'&gt;':
          case
'&lt;':
          case
'&quot;':
          case
'&apos;':
          case
'&amp;':
           
$entity_custom_from[$array_position] = $key;
           
$entity_custom_to[$array_position] = $value;
           
$array_position++;
            break;
          default:
           
$entity_custom_from[$array_position] = $value;
           
$entity_custom_to[$array_position] = $key;
           
$array_position++;
        }
      }
    }
    return
str_replace($entity_custom_from, $entity_custom_to, $data);
  }
?>

Tom Walter (17-Oct-2008 03:14)

Note that as of 5.2.5 it appears that if the input string contains a character that is not valid for the output encoding you've specified, then this function returns null.

You might expect it to just strip the invalid char, but it doesn't.

You can strip the chars yourself like so:

iconv('utf-8','utf-8',$str);

You can combine that with htmlentities also:

$str = htmlentities(iconv('UTF-8', 'UTF-8//IGNORE', $str, ENT_QUOTES, 'UTF-8');

Should give you a string with htmlentities encoded to utf-8, and any unsupported chars stripped.

Kenneth Kin Lum (23-Sep-2008 12:47)

use htmlspecialchars() if you are passing in a usual ASCII string.  It is faster than htmlentities().

For example, if you are just doing

htmlentities('<div style="background: #fff"></div>');

then you can just use htmlspecialchars().  htmlentities() will look for all possible ways to convert string into html entities, such as &copy; or &eacute; (which is e with an acute accent on top).

Note that ASCII is just 7 bit, which is 0x00 to 0x7F.  htmlspecialchars() will handle characters inside this range already.  htmlentities() is for the 8-bit Latin-1 (ISO-8859-1) to handle European characters, or for UTF-8 when the 3rd argument is "UTF-8" to handle UTF-8 characters, or other types of encodings using different values for the 3rd argument passed into htmlentities().

snevi at im dot com dot ve (22-Jul-2008 02:10)

correction to my previous post and improvement of the function: (the post was changed by the html parser and the characters displays as they should not)

<?php
   
function XMLEntities($string)
    {
       
$string = preg_replace('/[^\x09\x0A\x0D\x20-\x7F]/e', '_privateXMLEntities("$0")', $string);
        return
$string;
    }

    function
_privateXMLEntities($num)
    {
   
$chars = array(
       
128 => '&#8364;',
       
130 => '&#8218;',
       
131 => '&#402;',
       
132 => '&#8222;',
       
133 => '&#8230;',
       
134 => '&#8224;',
       
135 => '&#8225;',
       
136 => '&#710;',
       
137 => '&#8240;',
       
138 => '&#352;',
       
139 => '&#8249;',
       
140 => '&#338;',
       
142 => '&#381;',
       
145 => '&#8216;',
       
146 => '&#8217;',
       
147 => '&#8220;',
       
148 => '&#8221;',
       
149 => '&#8226;',
       
150 => '&#8211;',
       
151 => '&#8212;',
       
152 => '&#732;',
       
153 => '&#8482;',
       
154 => '&#353;',
       
155 => '&#8250;',
       
156 => '&#339;',
       
158 => '&#382;',
       
159 => '&#376;');
       
$num = ord($num);
        return ((
$num > 127 && $num < 160) ? $chars[$num] : "&#".$num.";" );
    }
?>

in the previous post, to correct the HEX values that are not rendered, the program use a for each cicle, but that introduces a mayor complexity in execution time, so, we use the ability to call functions in the preg_replace second parameter, and ceate another funcion that evaluates the ord of the character given, and if it is between 127 and 160 it returns the modified HEX value to be understood by the browser and not brake the XML
(this work with dynamic XML generated form php with dynamic data from any source)

p.d: the '&'(&) should appear in this post as a single ampersand character and not as the html entity

keenskelly at gmail dot com (09-Jul-2008 06:00)

Correction to my previous post: the set of ENTITY declarations must be inside a <!DOCTYPE element; also &nbsp; is NOT pre-defined in XML and must be left in the entity list. I also extended the list with the windows 1252 character set using a sample function borrowed from php.net user comments and extended with euro entity which we need for our app. Here is the final code that is in our production app:

<?php

// Generate a list of entity declarations from the HTML_ENTITIES set that PHP knows about to dump into the document
function htmlentities_entities() {
       
$output = "<!DOCTYPE html [\n";
        foreach (
get_html_translation_table_CP1252(HTML_ENTITIES) as $value) {
               
$name = substr($value, 1, strlen($value) - 2);
                switch (
$name) {
                       
// These ones we can skip because they're built into XML
                       
case 'gt':
                        case
'lt':
                        case
'quot':
                        case
'apos':
                        case
'amp': break;
                        default:
$output .= "<!ENTITY {$name} \"&{$name};\">\n";
                }
        }
       
$output .= "]>\n";
        return(
$output);
}

// ref: http://php.net/manual/en/function.get-html-translation-table.php#76564
function get_html_translation_table_CP1252($type) {
       
$trans = get_html_translation_table($type);
       
$trans[chr(130)] = '&sbquo;';    // Single Low-9 Quotation Mark
       
$trans[chr(131)] = '&fnof;';    // Latin Small Letter F With Hook
       
$trans[chr(132)] = '&bdquo;';    // Double Low-9 Quotation Mark
       
$trans[chr(133)] = '&hellip;';    // Horizontal Ellipsis
       
$trans[chr(134)] = '&dagger;';    // Dagger
       
$trans[chr(135)] = '&Dagger;';    // Double Dagger
       
$trans[chr(136)] = '&circ;';    // Modifier Letter Circumflex Accent
       
$trans[chr(137)] = '&permil;';    // Per Mille Sign
       
$trans[chr(138)] = '&Scaron;';    // Latin Capital Letter S With Caron
       
$trans[chr(139)] = '&lsaquo;';    // Single Left-Pointing Angle Quotation Mark
       
$trans[chr(140)] = '&OElig;';    // Latin Capital Ligature OE
       
$trans[chr(145)] = '&lsquo;';    // Left Single Quotation Mark
       
$trans[chr(146)] = '&rsquo;';    // Right Single Quotation Mark
       
$trans[chr(147)] = '&ldquo;';    // Left Double Quotation Mark
       
$trans[chr(148)] = '&rdquo;';    // Right Double Quotation Mark
       
$trans[chr(149)] = '&bull;';    // Bullet
       
$trans[chr(150)] = '&ndash;';    // En Dash
       
$trans[chr(151)] = '&mdash;';    // Em Dash
       
$trans[chr(152)] = '&tilde;';    // Small Tilde
       
$trans[chr(153)] = '&trade;';    // Trade Mark Sign
       
$trans[chr(154)] = '&scaron;';    // Latin Small Letter S With Caron
       
$trans[chr(155)] = '&rsaquo;';    // Single Right-Pointing Angle Quotation Mark
       
$trans[chr(156)] = '&oelig;';    // Latin Small Ligature OE
       
$trans[chr(159)] = '&Yuml;';    // Latin Capital Letter Y With Diaeresis
       
$trans['euro'] = '&euro;';    // euro currency symbol
       
ksort($trans);
        return
$trans;
}

?>

[EDIT BY danbrown AT php DOT net: The user's original note contained the following text:

"So here's something fun: if you create an XML document in PHP and use htmlentities() to encode text data, then later want to read and parse the same document with PHP's xml_parse(), unless you include entity declarations into the generated document, the parser will stop on the unknown entities.

To account for this, I created a small function to take the translation table and turn it into XML <!ENTITY> definitions. I insert this output into the XML document immediately after the <?xml?> line and the parse errors magically vanish"
]

mat at matinfo dot ch (21-Apr-2008 07:34)

Hi,

below a method to convert UTF-8 Latin-1 characters to HTML-Entity,
I'm created this to translate string with HTML element on it and i just wont to convert entities.

<?php
function convertLatin1ToHtml($str) {
   
$html_entities = array (
       
"&" =>  "&amp;",     #ampersand  
       
"á" =>  "&aacute;",     #latin small letter a
       
"?" =>  "&Acirc;",     #latin capital letter A
       
"?" =>  "&acirc;",     #latin small letter a
       
"?" =>  "&AElig;",     #latin capital letter AE
       
"?" =>  "&aelig;",     #latin small letter ae
       
"?" =>  "&Agrave;",     #latin capital letter A
       
"à" =>  "&agrave;",     #latin small letter a
       
"?" =>  "&Aring;",     #latin capital letter A
       
"?" =>  "&aring;",     #latin small letter a
       
"?" =>  "&Atilde;",     #latin capital letter A
       
"?" =>  "&atilde;",     #latin small letter a
       
"?" =>  "&Auml;",     #latin capital letter A
       
"?" =>  "&auml;",     #latin small letter a
       
"?" =>  "&Ccedil;",     #latin capital letter C
       
"?" =>  "&ccedil;",     #latin small letter c
       
"?" =>  "&Eacute;",     #latin capital letter E
       
"é" =>  "&eacute;",     #latin small letter e
       
"?" =>  "&Ecirc;",     #latin capital letter E
       
"ê" =>  "&ecirc;",     #latin small letter e
       
"?" =>  "&Egrave;",     #latin capital letter E
/*... sorry cutting because limitation of php.net ...
... but the principle is it ;) ... */
       
"?" =>  "&ucirc;",     #latin small letter u
       
"?" =>  "&Ugrave;",     #latin capital letter U
       
"ù" =>  "&ugrave;",     #latin small letter u
       
"?" =>  "&Uuml;",     #latin capital letter U
       
"ü" =>  "&uuml;",     #latin small letter u
       
"?" =>  "&Yacute;",     #latin capital letter Y
       
"?" =>  "&yacute;",     #latin small letter y
       
"?" =>  "&yuml;",     #latin small letter y
       
"?" =>  "&Yuml;",     #latin capital letter Y
   
);

    foreach (
$html_entities as $key => $value) {
       
$str = str_replace($key, $value, $str);
    }
    return
$str;
}
?>

za at byza dot it (15-Apr-2008 05:15)

Trouble when using files with different charset?

htmlentities and html_entity_decode can be used to translate between charset!

Sample function:

<?php
function utf2latin($text) {
  
$text=htmlentities($text,ENT_COMPAT,'UTF-8');
   return
html_entity_decode($text,ENT_COMPAT,'ISO-8859-1');
}
?>

TKVLPUAIBSDB at spammotel dot com (14-Nov-2007 12:11)

Yet another "help paste from MS Word" function. Characters from ISO-8859-1 charset are left in peace, while entities are built for non-standard characters from Windows CP1252.

<?php
function win1252toIso( $string ) {
   
// These chars seem to be not contained
    // in php's CP1252 translation table
   
static $extensions = array(
       
142 => "&Zcaron;",
       
158 => "&zcaron;"
   
);
   
// Go through string and decide char by char:
    // "leave as is or build entity?"
   
$newStr = "";
    for(
$i=0; $i < strlen( $string ); $i++ ) {
       
$ord = ord( $string[$i] );
        if (
in_array( $ord, array_keys( $extensions ) ) ) {
           
// build entity using extra translation table
           
$newStr .= $extensions[$ord];
        }
        else {
           
// build entity using php's translation table
            // or leave as is
           
$newStr .= ( $ord > 127 && $ord < 160 ) ?
               
htmlentities( $string[$i], ENT_NOQUOTES, "CP1252" )
                :
$string[$i];
        }
    }
    return
$newStr;
}
?>

marktpitman at gmail dot com (15-Oct-2007 03:21)

I just thought I would add that if you're using the default charset, htmlentities will not correctly return the trademark ( ? ) sign.

Instead it will return something like this: ???

If you need the trademark symbol, use:

<?php htmlentities( $html, ENT_QUOTES, "UTF-8" ); ?>

D. Gasser (24-Apr-2007 06:40)

When using UTF-8 as charset, you'll have to set UTF-8 in braces, otherwise the varaible is not recognized.

q (dot) rendeiro (at) gmail (dot) com (07-Mar-2007 12:41)

I've seen lots of functions to convert all the entities, but I needed to do a fulltext search in a db field that had named entities instead of numeric entities (edited by tinymce), so I searched the tinymce source and found a string with the value->entity mapping. So, i wrote the following function to encode the user's query with named entities.

The string I used is different of the original, because i didn't want to convert ' or ". The string is too long, so I had to cut it. To get the original check TinyMCE source and search for nbsp or other entity ;)

<?php

$entities_unmatched
= explode(',', '160,nbsp,161,iexcl,162,cent, [...] ');
$even = 1;
foreach(
$entities_unmatched as $c) {
    if(
$even) {
       
$ord = $c;
    } else {
       
$entities_table[$ord] = $c;
    }
   
$even = 1 - $even;
}

function
encode_named_entities($str) {
    global
$entities_table;
   
   
$encoded_str = '';
    for(
$i = 0; $i < strlen($str); $i++) {
       
$ent = @$entities_table[ord($str{$i})];
        if(
$ent) {
           
$encoded_str .= "&$ent;";
        } else {
           
$encoded_str .= $str{$i};
        }
    }
    return
$encoded_str;
}

?>

realcj at g mail dt com (06-Nov-2006 06:41)

If you are building a loadvars page for Flash and have problems with special chars such as " & ", " ' " etc, you should escape them for flash:

Try trace(escape("&")); in flash' actionscript to see the escape code for &;

% = %25
& = %26
' = %27

<?php
function flashentities($string){
return
str_replace(array("&","'"),array("%26","%27"),$string);
}
?>

Those are the two that concerned me. YMMV.

eric.wallet at yahoo.fr (26-Sep-2006 12:57)

First method convert characters to decimal values.
Second will reverse the problem !!!

<?php
function htmlnumericentities($str){
  return
preg_replace('/[^!-%\x27-;=?-~ ]/e', '"&#".ord("$0").chr(59)', $str);
}

function
numericentitieshtml($str){
  return
utf8_encode(preg_replace('/&#(\d+);/e', 'chr(str_replace(";","",str_replace("&#","","$0")))', $str));
}

echo (
htmlnumericentities ("Ceci est un test : & é $ à ? <"));
echo (
"<br/>\n");
echo (
numericentitieshtml (htmlnumericentities ("Ceci est un test : & é $ à ? <")));
?>

Output is :
Ceci est un test : &#38; &#233; $ &#224; &#231; &#60;<br/>
Ceci est un test : & é $ à ? <

daviscabral[arroba]gmail[ponto]com (28-Jul-2006 08:52)

unhtmlentities for all entities:

<?php

function unhtmlentities ($string) {
  
$trans_tbl1 = get_html_translation_table (HTML_ENTITIES);
   foreach (
$trans_tbl1 as $ascii => $htmlentitie ) {
       
$trans_tbl2[$ascii] = '&#'.ord($ascii).';';
   }
  
$trans_tbl1 = array_flip ($trans_tbl1);
  
$trans_tbl2 = array_flip ($trans_tbl2);
   return
strtr (strtr ($string, $trans_tbl1), $trans_tbl2);
}

?>

info at pirandot dot de (22-Jul-2006 03:14)

The data returned by a text input field is ready to be used in a data base query when enclosed in single quotes, e.g.
<?php
   mysql_query
("SELECT * FROM Article WHERE id = '$data'");
?>
But you will get problems when writing back this data into the input field's value,
<?php
  
echo "<input name='data' type='text' value='$data'>";
?>
because hmtl codes would be interpreted and escape sequences would cause strange output.

The following function may help:
<?php
function deescape ($s, $charset='UTF-8')
{
  
//  don't interpret html codes and don't convert quotes
  
$s  htmlentities ($s, ENT_NOQUOTES, $charset);

  
//  delete the inserted backslashes except those for protecting single quotes
  
$s  preg_replace ("/\\\\([^'])/e", '"&#" . ord("$1") . ";"', $s);

  
//  delete the backslashes inserted for protecting single quotes
  
$s  str_replace ("\\'", "&#" . ord ("'") . ";", $s);

   return 
$s;
}
?>
Try some input like:  a'b"c\d\'e\"f\\g&x#27;h  to test ...

anonymous (26-Apr-2006 08:38)

This function will encode anything that is non Standard ASCII (that is, that is above #127 in the ascii table)

<?php
// allhtmlentities : mainly based on "chars_encode()"  by Tim Burgan <timburgan@gmail.com> [http://www.php.net/htmlentities]
function allhtmlentities($string) {
    if (
strlen($string) == 0 )
        return
$string;
   
$result = '';
   
$string = htmlentities($string, HTML_ENTITIES);
   
$string = preg_split("//", $string, -1, PREG_SPLIT_NO_EMPTY);
   
$ord = 0;
    for (
$i = 0; $i < count($string); $i++ ) {
       
$ord = ord($string[$i]);
        if (
$ord > 127 ) {
           
$string[$i] = '&#' . $ord . ';';
        }
    }
    return
implode('',$string);
}
?>

edo at edwaa dot com (18-Nov-2005 04:48)

A version of the xml entities function below. This one replaces the "prime" character (′) with which I had difficulties.

<?php
// XML Entity Mandatory Escape Characters
function xmlentities($string) {
   return
str_replace ( array ( '&', '"', "'", '<', '>', '?' ), array ( '&amp;' , '&quot;', '&apos;' , '&lt;' , '&gt;', '&apos;' ), $string );
}
?>

info at bleed dot ws (15-Oct-2005 06:42)

here the centralized version of htmlentities() for multibyte.

<?php
function mb_htmlentities($string)
{
   
$string = htmlentities($string, ENT_COMPAT, mb_internal_encoding());
    return
$string;
}

?>

fanfatal at fanfatal dot pl (28-Aug-2005 10:28)

I wrote usefull function which is support iso-8859-2 encoding with htmlentities function ;]

<?php
/*
 *    Function htmlentities which support iso-8859-2
 *
 *    @param string
 *    @return string
 *    @author FanFataL
 */
function htmlentities_iso88592($string='') {
   
$pl_iso = array('&ecirc;', '&oacute;', '&plusmn;', '&para;', '&sup3;', '&iquest;', '&frac14;', '&aelig;', '&ntilde;', '&Ecirc;', '&Oacute;', '&iexcl;', '&brvbar;', '&pound;', '&not;', '&macr;', '&AElig;', '&Ntilde;');   
   
$entitles = get_html_translation_table(HTML_ENTITIES);
   
$entitles = array_diff($entitles, $pl_iso);
    return
strtr($string, $entitles);
}
?>

Greatings ;-)
...

send at mail dot 2aj dot net (14-Jul-2005 06:03)

If you are programming XML documents and are using the htmlentities function, then performing a  str_replace on ' into &apos; to set mandatory escape characters you can use this simple function instead.

This function, xmlentities, is basically the XML parsing equivalent of htmlentities, with fewer options than its HTML counterpart:

<?php
// XML Entity Mandatory Escape Characters
function xmlentities ( $string )
{
    return
str_replace ( array ( '&', '"', "'", '<', '>' ), array ( '&amp;' , '&quot;', '&apos;' , '&lt;' , '&gt;' ), $string );
}
?>

Example:

<?php
function xmlentities($string)
{
    return
str_replace ( array ( '&', '"', "'", '<', '>' ), array ( '&amp;' , '&quot;', '&apos;' , '&lt;' , '&gt;' ), $string );
}

echo
xmlentities("If you don't use these mandatory escape characters <tags> between </tags>, XML will \"eXtensively\" & \"implicitly\" give you errors.");
?>

Produces...
If you don&apos;t use these mandatory escape characters &lt;tags&gt; between &lt;/tags&gt;, XML will &quot;eXtensively&quot; &amp; &quot;implicitly&quot; give you errors.

marques at displague dot com (24-Jan-2005 06:01)

htmlEncodeText (below) needs a small tweak, the dash needs to be made literal to get picked up in cases like '<a href="blah-blah.php">'.  I have been using this function to parse my postgresql database calls since I have alot of unicode data and I don't want HTML data to be neutered (via htmlentities()).

<?php
function htmlEncodeText ($string)
{
 
$pattern = '<([a-zA-Z0-9\.\, "\'_\/\-\+~=;:\(\)?&#%![\]@]+)>';
 
preg_match_all ('/' . $pattern . '/', $string, $tagMatches, PREG_SET_ORDER);
 
$textMatches = preg_split ('/' . $pattern . '/', $string);

  foreach (
$textMatches as $key => $value) {
  
$textMatches [$key] = htmlentities ($value);
  }

  for (
$i = 0; $i < count ($textMatches); $i ++) {
  
$textMatches [$i] = $textMatches [$i] . $tagMatches [$i] [0];
  }

  return
implode ($textMatches);
}
?>

--Editor note: Combined some corrections to the regex pattern, thanks to fabian dot lange at web dot de, hammertscrew at veryweb dot com, webmaster AT scholesmafia DOT co DOT uk, thomas AT cosifan DOT de and marques at displague dot com---

Miguel (miguel at sigmanet dot com dot br) (20-Oct-2004 04:43)

This is a simple script that I'm using to encode and decode values from a form. Save it with the name that you wish.

<?php

/*  When you call anyone of the two functions, set the $_str
     variable to the string that you want to encode or decode */

/* This function encodes the string.
    You can safetly use this function to save its result in a
    database. It eliminates any space in the beginning ou end
    of the string, HTML and PHP tags, and encode any special
    char to the usual HTML entities (&[...];), eliminating the
    possibility of bugs in inserting data on a table */
function encodeText($_str) {
 
$_str = strip_tags($_str);
 
$_str = trim($_str);
 
$_str = htmlentities($_str);
 
$_str = str_replace("\r\n", "#BR#", $_str);
  return(
$_str);
}

/* This function decodes the string.
    If you are showing the string in the body of a page, you
    can set the $_form variable to "false", and the function will
    use the "BR" tag to the new lines. But, if you need to show
    the string in a textarea, text or other input types of a form
    set the $_form variable to "true", then the function will use
    the "\r\n" to the new lines */
function decodeText($_str, $_form) {
 
$trans_tbl = get_html_translation_table (HTML_ENTITIES);
 
$trans_tbl = array_flip ($trans_tbl);
 
$_str      = strtr($_str, $trans_tbl);
  if (
$_form) {
   
$_nl = "\r\n";
  } else {
   
$_nl = "<br>";
  }
 
$_str      = str_replace("#BR#", "$_nl", $_str);
  return(
$_str);
}

?>

m227 at poczta dot onet dot pl (26-May-2004 11:00)

<?php
// tested with PHP 4.3.4, Apache 1.29
// function works like original htmlentities
// but preserves Polish characters encoded in CP-1250
// (Windows code page) from false conversion

// m227@poczta.onet.pl, 2004

function htmlentities1250($str)
{
   
// four chars does not need any conversion
    // s` (9c), z` (9f), Z` (8f), S` (8c)
   
$trans = array(       
       
"&sup3;"  => "\xb3", //  "l-"
       
"&sup1;"  => "\xb9", //  "a,"
       
"&ecirc;" => "\xea", //  "e,"
       
"&aelig;" => "\xe6", //  "c`"
       
"&ntilde;"=> "\xf1", //  "n`"                                       
       
"&iquest;"=> "\xbf", //  "z."
       
"&yen;"   => "\xa5", //  "A,"
       
"&AElig;" => "\xc6", //  "C`"
       
"&macr;"  => "\xaf", //  "Z."
       
"&Ecirc;" => "\xca", //  "E,"
       
"&oacute;"=> "\xf3", //  "o`"
       
"&Oacute;"=> "\xd3", //  "O`"
       
"&pound;" => "\xa3", //  "L-"
       
"&Ntilde;"=> "\xd1"  //  "N`"
   
);
    return
strtr(htmlentities($str), $trans);
}
?>

mail at britlinks dot com (19-May-2004 05:27)

similar to cedric at shift-zone dot be's function, this 'cleans up' text from MS Word, and other non-alphanumeric characters to their valid [X]HTML counterparts

<?php
// strips slashes, and converts special characters to HTML equivalents for string defined in $var
function htmlfriendly($var,$nl2br = false){
   
$chars = array(
       
128 => '&#8364;',
       
130 => '&#8218;',
       
131 => '&#402;',
       
132 => '&#8222;',
       
133 => '&#8230;',
       
134 => '&#8224;',
       
135 => '&#8225;',
       
136 => '&#710;',
       
137 => '&#8240;',
       
138 => '&#352;',
       
139 => '&#8249;',
       
140 => '&#338;',
       
142 => '&#381;',
       
145 => '&#8216;',
       
146 => '&#8217;',
       
147 => '&#8220;',
       
148 => '&#8221;',
       
149 => '&#8226;',
       
150 => '&#8211;',
       
151 => '&#8212;',
       
152 => '&#732;',
       
153 => '&#8482;',
       
154 => '&#353;',
       
155 => '&#8250;',
       
156 => '&#339;',
       
158 => '&#382;',
       
159 => '&#376;');
   
$var = str_replace(array_map('chr', array_keys($chars)), $chars, htmlentities(stripslashes($var)));
    if(
$nl2br){
        return
nl2br($var);
    } else {
        return
$var;
    }
}
?>

cedric at shift-zone dot be (04-May-2004 02:02)

This is a conversion function for special chars.
Very usefull to convert a word document into valid html
(the html provided is successfully parsed by sablotron 0.97 using iso-8859-1 charset) :

<?php
function convertDoc2HTML($txt){
       
$len = strlen($txt);
       
$res = "";
        for(
$i = 0; $i < $len; ++$i) {
           
$ord = ord($txt{$i});
           
// check only non-standard chars         
           
if($ord >= 126){
               
$res .= "&#".$ord.";";
            }
            else {
               
// escape ", ' and \ chars
               
switch($ord){
                    case
34 :
                       
$res .= "\\\"";
                        break;
                    case
39 :
                       
$res .= "\'";
                        break;
                    case
92 :
                       
$res .= "\\\\";
                        break;                   
                    default :
// the rest does not have to be modified
                       
$res .= $txt{$i};
                }                   
            }
        }
        return
$res;
}
?>

jake_mcmahon at hotmail dot com (29-Apr-2004 10:29)

This fuction is particularly useful against XSS (cross-site-scripting-). XSS makes use of holes in code, whether it be in Javascript or PHP. XSS often, if not always, uses HTML entities to do its evil deeds, so this function in co-operation with your scripts (particularly search or submitting scripts) is a very useful tool in combatting "H4X0rz".

Guillaume Beaulieu (11-Apr-2004 10:10)

Here's a simple script to transform filename with accented character in it into much more usable unaccented character for a restrictive filesystem.

<?php
$string
= htmlentities($stringToModify);
/* Take the first letter of the entity (if you got filename with ([<>] in it the result will probably remain lookable*/
$string preg_replace("/\&(.)[^;]*;/", "\\1", $string);
/* Change the whitespace into _*/
$string = preg_replace("/[ ]/", "_", $string);
/* Dance ! */
print $string;
?>

Funky Ants (04-Apr-2004 07:55)

I had a problem working with partially html encoded data, with a selection of unescaped ampersands, hex coded, and characters in "&amp;", style.
Which ive finally overcome by decoding all of the data, adn then reincoding it all.

I found a combination of a couple of peoples work useful.

<?php
function get_htmlspecialchars( $given, $quote_style = ENT_QUOTES ){
    return
htmlentities( unhtmlentities$given ) , $quote_style  );
}

function
unhtmlentities( $string ){
   
$trans_tbl = get_html_translation_table ( HTML_ENTITIES );
   
$trans_tbl = array_flip( $trans_tbl );
   
$ret = strtr( $string, $trans_tbl );
    return
preg_replace( '/&#(\d+);/me' , "chr('\\1')" , $ret );
}
?>

wwb at 3dwargamer dot net (01-Apr-2004 12:49)

htmlentites is a very handy function, but it fails to fix one thing which I deal with alot: word 'smart' quotes and emdashes.

The below function replaces the funky double quotes with &quot;, funky single quotes with standard single quotes and fixes emdashes.

<?php
   
function CleanupSmartQuotes($text)
    {
       
$badwordchars=array(
                           
chr(145),
                           
chr(146),
                           
chr(147),
                           
chr(148),
                           
chr(151)
                            );
       
$fixedwordchars=array(
                           
"'",
                           
"'",
                           
'&quot;',
                           
'&quot;',
                           
'&mdash;'
                           
);
        return
str_replace($badwordchars,$fixedwordchars,$text);
    }
?>

Julien CROUZET (27-Nov-2003 08:01)

If you are looking for a htmlentities inverse :

<?php
$table       
= array_flip(get_html_translation_table(HTML_ENTITIES));
$plaintext    = strtr($html, $table);
?>

Here is a full example to extract plaintext from a SIMPLE html page (not table, etc...)

<?php
$file_content    
= file_get_contents($htmlfile);
$file_content     = strip_tags($file_content, '<br>');
$file_content     = preg_replace('/<br( )?(\/)?>/i', "\n", $file_content);
$file_content     = wordwrap($file_content);
$table            = array_flip(get_html_translation_table(HTML_ENTITIES));
$file_content     = strtr($file_content, $table);
?>

dmurphy at telegeography dot com (19-Sep-2003 07:14)

<?php
// htmlentities() does not support Mac Roman, so this is a workaround. It requires the below table.
// This function runs on a Mac OSX machine, where text is stored in the Mac Roman character set inside a Mac OSX MySQL table.
function custom_htmlentities ($string, $table) {
   
// Loop throught the array, replacing each ocurrance
   
for ($n = 0; $n < count($table); $n++) {
       
$table_line = each($table);
       
// use the chr function to get the one character string for each ascii decimal code
       
$find_char = chr($table_line[key]);
       
$replace_string = $table_line[value];
       
$string = str_replace($find_char, $replace_string, $string);   
    }
    return
$string;
}
?>

defrostdj at defrostdj dot com (25-Jul-2003 08:10)

Here you have a character map function ;)

<?php
function htmldecode($encoded, $char = 'HTML_SPECIALCHARS') {
    foreach(
$encoded as $key => $value){
        echo
$value .' --> ';
        if (
$char == 'HTML_SPECIALCHARS') {
            echo
htmlspecialchars($value);
        } else {
            echo
htmlentities($value);
        }
        echo
'&gtbr&lt';
    }
}
echo
'ENTITIES<&gtbr&lt><&gtbr&lt>';
$entities = get_html_translation_table (HTML_ENTITIES);
htmldecode($entities, 'HTML_ENTITIES');
echo
'<&gtbr&lt>SPECIAL CHARACTERS<&gtbr&lt><&gtbr&lt>';
$specialchars = get_html_translation_table (HTML_SPECIALCHARS);
htmldecode($specialchars, 'HTML_SPECIALCHARS');

?>

So next time you're developing you'll always have a charmap ready to use.

Anthony Aragues (24-Jun-2003 12:24)

I found in a previous not the function for encoding the input... which worked great, but it also encoded the &nbsp and <br> that was being automatically added in my POST, so I created and Output function to go with it that worked for me:

<?php
function VerbatimInput($String)
    {
   
$Output = mysql_escape_string(htmlentities(addslashes($String)));
    return
$Output;
    }

function
VerbatimOutput($Input)
    {
   
$Output = str_replace("&lt;br /&gt;", "<br>", "$Input");
       
$Output = str_replace("&amp;nbsp;", "&nbsp", "$Output");
    return
$Output;
    }
?>

rob at neorosa dot com (01-Mar-2003 04:12)

This function will encode everything, either using ascii values or special entities:

<?php
function encode_everything($string){
   
$encoded = "";
    for (
$n=0;$n<strlen($string);$n++){
       
$check = htmlentities($string[$n],ENT_QUOTES);
      
$string[$n] == $check ? $encoded .= "&#".ord($string[$n]).";" : $encoded .= $check;
    }
    return
$encoded;
}
?>

so you can use:

<?php $emailAddress = encode_everything($emailAddress); ?>

to protect an email address - although I imagine it's not a great deal of protection.

Bassie (: (06-Jan-2003 12:07)

Note that you'll have use htmlentities() before any other function who'll edit text like nl2br().

If you use nl2br() first, the htmlentities() function will change < br > to &lt;br&gt;.