Use html_entity_decode() when you need the full htmlentities() decode path. For text encoded with htmlspecialchars() only, use htmlspecialchars_decode() instead. Always pass 'UTF-8' as the encoding.
Foundation
📝 Syntax
The function accepts a string, optional flags, and encoding:
<?php
$htmlString = "This is an <b>example</b> string.";
$decoded = html_entity_decode($htmlString, ENT_QUOTES, 'UTF-8');
echo "Original: $htmlString\n";
echo "Decoded: $decoded\n";
?>
📤 Output:
Original: This is an <b>example</b> string.
Decoded: This is an <b>example</b> string.
How It Works
< becomes < and > becomes >. The decoded string contains literal angle brackets—do not echo it into HTML without re-escaping if the content is untrusted.
Example 2 — Roundtrip with htmlentities()
Encode with htmlentities(), decode with html_entity_decode(), and restore the original text.
Decoding alone is not enough for web safety. After processing, always use htmlspecialchars() (or allow a vetted HTML sanitizer) before rendering user content in a page.
Applications
🚀 Common Use Cases
CMS / imported content — decode entity-encoded HTML from databases or feeds before processing.
Search and indexing — convert entities to plain characters for matching and sorting.
Email templates — restore readable text from HTML-encoded message bodies.
Debugging — inspect what htmlentities() produced by reversing it.
Data migration — normalize legacy entity-encoded strings to UTF-8 plain text.
🧠 How html_entity_decode() Works
1
You pass an encoded string
Input contains HTML entities—named, decimal, or hex—plus flags and encoding.
Input
2
PHP maps entities to characters
Valid entities for the document type and encoding are converted; others may remain unchanged.
Re-escape with htmlspecialchars() before HTML display when needed.
Important
📝 Notes
Default flags changed in PHP 8.1 to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
Always pass 'UTF-8' as encoding—do not rely on default_charset alone.
Inverse of htmlentities(), not htmlspecialchars() (use htmlspecialchars_decode() for that).
Decoding untrusted HTML can reintroduce tags and enable XSS if echoed raw.
decodes to U+00A0 (non-breaking space), not a regular space—trim() will not remove it.
Wrap Up
Conclusion
The html_entity_decode() function restores characters from HTML entity encoding. It pairs with htmlentities(), respects ENT flags and encoding, and is essential when processing stored entity-encoded content.
Decode for internal processing, match flags to your encoding step, specify UTF-8, and re-escape with htmlspecialchars() before displaying user content in HTML.
string html_entity_decode(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, ?string $encoding = null). Pass the entity-encoded string, optional ENT_* flags, and an encoding (UTF-8 recommended).
html_entity_decode() reverses htmlentities() and decodes all applicable entities (including many named symbols). htmlspecialchars_decode() only reverses htmlspecialchars()—a smaller set of special characters (&, <, >, quotes).
Match the flags used when encoding. ENT_QUOTES decodes both single and double quote entities. ENT_HTML401 (default document type) or ENT_HTML5 for HTML5 entities. Always pass UTF-8 as the encoding argument for modern apps.
Only if you re-escape before output or use the decoded text in a non-HTML context. Decoding entities like <script> back to <script> and echoing raw HTML enables XSS. Decode for processing; use htmlspecialchars() when rendering to the page.
The default $flags value changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401. Explicitly pass flags and UTF-8 encoding so behavior stays predictable across PHP versions.