In PHP, htmlentities() translates every character that has an HTML entity equivalent into that entity string. Unlike htmlspecialchars(), which focuses on a small set of dangerous characters, htmlentities() can encode copyright signs, currency symbols, and accented letters depending on the chosen document type and encoding flags.
Returns the entity-encoded string, or an empty string if the input contains invalid sequences for the encoding (unless ENT_IGNORE or ENT_SUBSTITUTE is set).
ENT_COMPAT: O'Brien & Co
ENT_QUOTES: O'Brien & Co
How It Works
ENT_COMPAT encodes double quotes and & but leaves apostrophes alone. ENT_QUOTES also encodes ', which prevents attribute-breakout when using single-quoted HTML attributes.
Example 4 — double_encode = false
Skip re-encoding when the input already contains HTML entities.
Use matching flags and UTF-8 on both functions. htmlentities() encodes; html_entity_decode() restores the original text for processing or display in non-HTML contexts.
Applications
🚀 Common Use Cases
Full HTML-safe storage — encode symbols and accented letters as entities in databases or logs.
Legacy HTML 4 output — produce named entities for environments expecting entity-encoded text.
CMS export — normalize special characters to entities for portable HTML snippets.
Debugging entity maps — compare with get_html_translation_table(HTML_ENTITIES).
Pair with html_entity_decode() — reversible encode/decode pipelines.
🧠 How htmlentities() Works
1
You pass plain text
Input may contain HTML, quotes, symbols, and UTF-8 characters plus ENT flags and encoding.
Input
2
PHP looks up entity map
Each applicable character is replaced using the translation table from get_html_translation_table(HTML_ENTITIES, ...).
Safe to embed in HTML as text, or store as encoded content.
Important
📝 Notes
Default flags changed in PHP 8.1 to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
Always pass 'UTF-8' as encoding for modern applications.
htmlspecialchars() is usually preferred for output escaping; it encodes fewer characters but covers XSS essentials.
Encoding is not a substitute for input validation or Content Security Policy.
Invalid byte sequences return an empty string unless ENT_SUBSTITUTE or ENT_IGNORE is set.
Wrap Up
Conclusion
The htmlentities() function converts characters to HTML entities across the full applicable set—not just the core special characters. Use it when you need comprehensive entity encoding; use htmlspecialchars() for typical output escaping.
Pass ENT_QUOTES and 'UTF-8', understand double_encode, and pair with html_entity_decode() when you need to reverse the process.
Use htmlentities() when you need full entity encoding of symbols and accented characters—for example, storing or transporting text where every applicable character must become an entity. For standard XSS prevention in HTML output, htmlspecialchars() is the common choice.
Use html_entity_decode() with matching flags and UTF-8 encoding: html_entity_decode($encoded, ENT_QUOTES, 'UTF-8'). Match the same ENT flags used during encoding.