PHP html_entity_decode() Function

Beginner
⏱️ 8 min read
📚 Updated: Jul 2026
🎯 5 Examples
String Functions

What You’ll Learn

The html_entity_decode() function converts HTML entities (like < and ©) back into their real characters. It reverses htmlentities() and is useful when processing stored or imported HTML-encoded text.

01

Entity Decode

&lt; → < characters.

02

ENT Flags

Quote & doc type.

03

UTF-8 Encoding

Always specify it.

04

htmlentities

Inverse encode pair.

05

vs htmlspecialchars

Full vs subset.

06

XSS Safety

Decode with care.

Definition and Usage

In PHP, html_entity_decode() reverses HTML entity encoding. Where htmlentities() turns characters into entities for safe storage or transport, this function restores the original characters—including named entities (&copy;), decimal numeric entities (&#169;), and hex numeric entities (&#xA9;) that are valid for the chosen document type and encoding.

💡
Beginner Tip

Use html_entity_decode() when you need the full htmlentities() decode path. For text encoded with htmlspecialchars() only, use htmlspecialchars_decode() instead. Always pass 'UTF-8' as the encoding.

📝 Syntax

The function accepts a string, optional flags, and encoding:

PHP
string html_entity_decode(
    string $string,
    int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401,
    ?string $encoding = null
)

Parameters

  • $string — the input string containing HTML entities to decode.
  • $flags — bitmask controlling quotes and document type. Common values: ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, ENT_HTML401, ENT_HTML5, ENT_SUBSTITUTE.
  • $encoding — character encoding (strongly recommended: 'UTF-8'). If omitted, PHP uses default_charset.

Return Value

Returns the decoded string with entities converted back to characters.

⚡ Quick Reference

Basic decode
html_entity_decode($s, ENT_QUOTES, 'UTF-8')

Standard pattern

Roundtrip
html_entity_decode(htmlentities($s), ENT_QUOTES, 'UTF-8')

Restore original

HTML5 entities
..., ENT_QUOTES | ENT_HTML5, 'UTF-8')

HTML5 doc type

Safe output
htmlspecialchars($decoded, ENT_QUOTES, 'UTF-8')

Re-escape for HTML

Examples Gallery

Run these examples in PHP 7+. Each demonstrates a common pattern beginners encounter with html_entity_decode().

📚 Getting Started

Decode tag entities back into angle brackets.

Example 1 — Decode HTML Tag Entities

Entity-encoded markup becomes readable characters again.

PHP
<?php
$htmlString = "This is an &lt;b&gt;example&lt;/b&gt; string.";
$decoded    = html_entity_decode($htmlString, ENT_QUOTES, 'UTF-8');

echo "Original: $htmlString\n";
echo "Decoded:  $decoded\n";
?>

How It Works

&lt; becomes < and &gt; becomes >. The decoded string contains literal angle brackets—do not echo it into HTML without re-escaping if the content is untrusted.

Example 2 — Roundtrip with htmlentities()

Encode with htmlentities(), decode with html_entity_decode(), and restore the original text.

PHP
<?php
$original = 'I\'ll "walk" the <b>dog</b> now';
$encoded  = htmlentities($original, ENT_QUOTES, 'UTF-8');
$decoded  = html_entity_decode($encoded, ENT_QUOTES, 'UTF-8');

echo "Encoded: $encoded\n";
echo "Decoded: $decoded\n";
echo "Match:   " . ($original === $decoded ? "yes\n" : "no\n");
?>

How It Works

Use matching flags and encoding on both functions. ENT_QUOTES ensures single and double quote entities are encoded and decoded consistently.

📈 Practical Patterns

Named symbols, quote entities, and safe rendering.

Example 3 — Decode Named Entities

html_entity_decode() handles symbols beyond basic HTML tags.

PHP
<?php
$stored = "Tom &amp; Jerry &copy; 2026 &mdash; Fun!";
$plain  = html_entity_decode($stored, ENT_QUOTES, 'UTF-8');

echo $plain . "\n";
?>

How It Works

&amp;, &copy;, and &mdash; become &, ©, and an em dash. This is why html_entity_decode() decodes a wider entity set than htmlspecialchars_decode().

Example 4 — ENT_QUOTES for Apostrophe Entities

Use ENT_QUOTES when the encoded string contains single-quote entities.

PHP
<?php
$encoded = "Donna&#039;s Bakery";

$compat = html_entity_decode($encoded, ENT_COMPAT, 'UTF-8');
$quotes = html_entity_decode($encoded, ENT_QUOTES, 'UTF-8');

echo "ENT_COMPAT: $compat\n";
echo "ENT_QUOTES: $quotes\n";
?>

How It Works

ENT_COMPAT leaves single-quote entities untouched. ENT_QUOTES decodes them—match the flag to how the text was originally encoded.

Example 5 — Decode for Processing, Escape for Display

Safe pattern: decode to work with plain text internally, then re-escape before HTML output.

PHP
<?php
$userInput = "&lt;em&gt;Hello&lt;/em&gt; &amp; welcome";

// Process as plain text (e.g. strip tags, search, store)
$plain = html_entity_decode($userInput, ENT_QUOTES, 'UTF-8');
$clean = strip_tags($plain);

// Safe for HTML output
$safeHtml = htmlspecialchars($clean, ENT_QUOTES, 'UTF-8');

echo "Plain: $plain\n";
echo "Clean: $clean\n";
echo "Safe:  $safeHtml\n";
?>

How It Works

Decoding alone is not enough for web safety. After processing, always use htmlspecialchars() (or allow a vetted HTML sanitizer) before rendering user content in a page.

🚀 Common Use Cases

  • CMS / imported content — decode entity-encoded HTML from databases or feeds before processing.
  • Search and indexing — convert entities to plain characters for matching and sorting.
  • Email templates — restore readable text from HTML-encoded message bodies.
  • Debugging — inspect what htmlentities() produced by reversing it.
  • Data migration — normalize legacy entity-encoded strings to UTF-8 plain text.

🧠 How html_entity_decode() Works

1

You pass an encoded string

Input contains HTML entities—named, decimal, or hex—plus flags and encoding.

Input
2

PHP maps entities to characters

Valid entities for the document type and encoding are converted; others may remain unchanged.

Transform
3

Decoded string returned

Output contains literal characters (<, &, ©, quotes, etc.) ready for further processing.

Output
=

Plain character string

Re-escape with htmlspecialchars() before HTML display when needed.

📝 Notes

  • Default flags changed in PHP 8.1 to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
  • Always pass 'UTF-8' as encoding—do not rely on default_charset alone.
  • Inverse of htmlentities(), not htmlspecialchars() (use htmlspecialchars_decode() for that).
  • Decoding untrusted HTML can reintroduce tags and enable XSS if echoed raw.
  • &nbsp; decodes to U+00A0 (non-breaking space), not a regular space—trim() will not remove it.

Conclusion

The html_entity_decode() function restores characters from HTML entity encoding. It pairs with htmlentities(), respects ENT flags and encoding, and is essential when processing stored entity-encoded content.

Decode for internal processing, match flags to your encoding step, specify UTF-8, and re-escape with htmlspecialchars() before displaying user content in HTML.

💡 Best Practices

✅ Do

  • Pass ENT_QUOTES and 'UTF-8' explicitly
  • Match decode flags to the original encode function and flags
  • Re-escape with htmlspecialchars() before HTML output
  • Use htmlspecialchars_decode() when only special chars were encoded
  • Test with &nbsp; and numeric entities in your data

❌ Don’t

  • Echo decoded user input directly into HTML pages
  • Assume default flags match your encoded data across PHP versions
  • Confuse html_entity_decode() with urldecode()
  • Decode repeatedly in a loop without caching when unnecessary
  • Expect trim() to remove decoded non-breaking spaces

Key Takeaways

Knowledge Unlocked

Five things to remember about html_entity_decode()

Use these points whenever you decode HTML entities in PHP.

5
Core concepts
🛠 02

ENT + UTF-8

Flags and encoding.

Syntax
🔄 03

htmlentities Pair

Encode / decode.

Related
🛡 04

XSS Awareness

Re-escape output.

Security
📋 05

Full Entity Set

Not just &, <, >.

Scope

❓ Frequently Asked Questions

html_entity_decode() converts HTML entities in a string back to their corresponding characters. For example, &amp;lt; becomes < and &amp;copy; becomes ©. It is the reverse of htmlentities().
string html_entity_decode(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, ?string $encoding = null). Pass the entity-encoded string, optional ENT_* flags, and an encoding (UTF-8 recommended).
html_entity_decode() reverses htmlentities() and decodes all applicable entities (including many named symbols). htmlspecialchars_decode() only reverses htmlspecialchars()—a smaller set of special characters (&, <, >, quotes).
Match the flags used when encoding. ENT_QUOTES decodes both single and double quote entities. ENT_HTML401 (default document type) or ENT_HTML5 for HTML5 entities. Always pass UTF-8 as the encoding argument for modern apps.
Only if you re-escape before output or use the decoded text in a non-HTML context. Decoding entities like &lt;script&gt; back to <script> and echoing raw HTML enables XSS. Decode for processing; use htmlspecialchars() when rendering to the page.
The default $flags value changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401. Explicitly pass flags and UTF-8 encoding so behavior stays predictable across PHP versions.

Explore More PHP String Functions

Continue with htmlentities(), htmlspecialchars(), and the rest of the string function reference.

Next: htmlentities() →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

6 people found this page helpful