PHP htmlentities() Function

Beginner
⏱️ 8 min read
📚 Updated: Jul 2026
🎯 5 Examples
String Functions

What You’ll Learn

The htmlentities() function converts characters into HTML entities—not just & and <, but also symbols like © and many accented letters. It is the encoding counterpart of html_entity_decode().

01

Full Encode

All entity chars.

02

ENT Flags

Quote & doc type.

03

UTF-8

Always specify it.

04

vs htmlspecialchars

Full vs subset.

05

double_encode

Skip re-encoding.

06

XSS Safety

Escape on output.

Definition and Usage

In PHP, htmlentities() translates every character that has an HTML entity equivalent into that entity string. Unlike htmlspecialchars(), which focuses on a small set of dangerous characters, htmlentities() can encode copyright signs, currency symbols, and accented letters depending on the chosen document type and encoding flags.

💡
Beginner Tip

For most web page output, htmlspecialchars($text, ENT_QUOTES, 'UTF-8') is enough to prevent XSS. Reach for htmlentities() when you genuinely need the full entity map—for example, encoding © and é as entities in stored HTML-safe text.

📝 Syntax

The function accepts a string, flags, encoding, and a double-encode option:

PHP
string htmlentities(
    string $string,
    int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401,
    ?string $encoding = null,
    bool $double_encode = true
)

Parameters

  • $string — the input text to encode.
  • $flags — bitmask for quotes and document type: ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, ENT_HTML401, ENT_HTML5, ENT_SUBSTITUTE, etc.
  • $encoding — character encoding (strongly recommended: 'UTF-8').
  • $double_encode — when true (default), existing entities like &copy; are encoded again; when false, they are left as-is.

Return Value

Returns the entity-encoded string, or an empty string if the input contains invalid sequences for the encoding (unless ENT_IGNORE or ENT_SUBSTITUTE is set).

⚡ Quick Reference

Standard encode
htmlentities($s, ENT_QUOTES, 'UTF-8')

Full entity map

Decode pair
html_entity_decode($s, ENT_QUOTES, 'UTF-8')

Reverse encoding

No double encode
..., 'UTF-8', false)

Keep &copy; as-is

Typical output
htmlspecialchars($s, ENT_QUOTES, 'UTF-8')

Usually enough

Examples Gallery

Run these examples in PHP 7+. Each demonstrates a common pattern beginners encounter with htmlentities().

📚 Getting Started

Encode angle brackets so HTML tags display as plain text.

Example 1 — Encode HTML Tags

Prevent <strong> from being interpreted as real HTML when echoed.

PHP
<?php
$text    = "Hello, <strong>PHP</strong>!";
$encoded = htmlentities($text, ENT_QUOTES, 'UTF-8');

echo "Original: $text\n";
echo "Encoded:  $encoded\n";
?>

How It Works

< becomes &lt; and > becomes &gt;. Browsers render the encoded string as visible text instead of bold formatting.

Example 2 — htmlentities() vs htmlspecialchars()

See how the full encoder handles symbols that the subset encoder leaves unchanged.

PHP
<?php
$text = "Tom & Jerry © 2026 — €5";

$special = htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
$full    = htmlentities($text, ENT_QUOTES, 'UTF-8');

echo "htmlspecialchars: $special\n";
echo "htmlentities:     $full\n";
?>

How It Works

Both encode &. Only htmlentities() converts ©, em dashes, and € into named entities. For XSS prevention alone, the smaller output from htmlspecialchars() is usually sufficient.

📈 Practical Patterns

Quote encoding, double_encode, and roundtrip decoding.

Example 3 — ENT_QUOTES Encodes Apostrophes

Use ENT_QUOTES when text may appear inside HTML attributes delimited by single quotes.

PHP
<?php
$name = "O'Brien & Co";

$compat = htmlentities($name, ENT_COMPAT, 'UTF-8');
$quotes = htmlentities($name, ENT_QUOTES, 'UTF-8');

echo "ENT_COMPAT: $compat\n";
echo "ENT_QUOTES: $quotes\n";
?>

How It Works

ENT_COMPAT encodes double quotes and & but leaves apostrophes alone. ENT_QUOTES also encodes ', which prevents attribute-breakout when using single-quoted HTML attributes.

Example 4 — double_encode = false

Skip re-encoding when the input already contains HTML entities.

PHP
<?php
$partial = "Already has &copy; symbol";

$again = htmlentities($partial, ENT_QUOTES, 'UTF-8', true);
$once  = htmlentities($partial, ENT_QUOTES, 'UTF-8', false);

echo "double_encode true:  $again\n";
echo "double_encode false: $once\n";
?>

How It Works

With default true, the & in &copy; becomes &amp;, producing &amp;copy;. Setting false preserves existing entities while still encoding unencoded characters elsewhere in the string.

Example 5 — Roundtrip with html_entity_decode()

Encode for storage or transport, decode when you need the original characters back.

PHP
<?php
$original = 'Café & "Tea" <shop>';
$encoded  = htmlentities($original, ENT_QUOTES, 'UTF-8');
$decoded  = html_entity_decode($encoded, ENT_QUOTES, 'UTF-8');

echo "Encoded: $encoded\n";
echo "Decoded: $decoded\n";
echo "Match:   " . ($original === $decoded ? "yes\n" : "no\n");
?>

How It Works

Use matching flags and UTF-8 on both functions. htmlentities() encodes; html_entity_decode() restores the original text for processing or display in non-HTML contexts.

🚀 Common Use Cases

  • Full HTML-safe storage — encode symbols and accented letters as entities in databases or logs.
  • Legacy HTML 4 output — produce named entities for environments expecting entity-encoded text.
  • CMS export — normalize special characters to entities for portable HTML snippets.
  • Debugging entity maps — compare with get_html_translation_table(HTML_ENTITIES).
  • Pair with html_entity_decode() — reversible encode/decode pipelines.

🧠 How htmlentities() Works

1

You pass plain text

Input may contain HTML, quotes, symbols, and UTF-8 characters plus ENT flags and encoding.

Input
2

PHP looks up entity map

Each applicable character is replaced using the translation table from get_html_translation_table(HTML_ENTITIES, ...).

Transform
3

Entities are substituted

<&lt;, © → &copy;, quotes encoded per flags, and so on.

Encode
=

Entity-encoded string

Safe to embed in HTML as text, or store as encoded content.

📝 Notes

  • Default flags changed in PHP 8.1 to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
  • Always pass 'UTF-8' as encoding for modern applications.
  • htmlspecialchars() is usually preferred for output escaping; it encodes fewer characters but covers XSS essentials.
  • Encoding is not a substitute for input validation or Content Security Policy.
  • Invalid byte sequences return an empty string unless ENT_SUBSTITUTE or ENT_IGNORE is set.

Conclusion

The htmlentities() function converts characters to HTML entities across the full applicable set—not just the core special characters. Use it when you need comprehensive entity encoding; use htmlspecialchars() for typical output escaping.

Pass ENT_QUOTES and 'UTF-8', understand double_encode, and pair with html_entity_decode() when you need to reverse the process.

💡 Best Practices

✅ Do

  • Use ENT_QUOTES and 'UTF-8' explicitly
  • Prefer htmlspecialchars() for standard HTML output escaping
  • Match decode flags when using html_entity_decode()
  • Set double_encode to false for partially encoded input
  • Encode on output, not only on input (defense in depth)

❌ Don’t

  • Assume htmlentities alone prevents all XSS vectors
  • Double-encode already safe content without reason
  • Rely on default charset instead of passing UTF-8
  • Use htmlentities when htmlspecialchars is sufficient
  • Store decoded HTML from users without sanitization

Key Takeaways

Knowledge Unlocked

Five things to remember about htmlentities()

Use these points whenever you encode HTML entities in PHP.

5
Core concepts
🛠 02

ENT + UTF-8

Flags and encoding.

Syntax
📈 03

vs htmlspecialchars

Full vs subset.

Compare
🔄 04

double_encode

Control re-encoding.

Option
📝 05

Decode Pair

html_entity_decode().

Related

❓ Frequently Asked Questions

htmlentities() converts all characters that have HTML entity equivalents into those entities. It encodes special characters like &, <, and > plus many symbols and accented letters (such as © and é) so they display safely as text in HTML.
string htmlentities(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, ?string $encoding = null, bool $double_encode = true). Pass the input string, ENT_* flags, UTF-8 encoding, and whether to encode existing entities again.
htmlspecialchars() encodes only the core special characters (&, <, >, quotes). htmlentities() encodes every character that has an HTML entity equivalent—including ©, €, and many accented letters. For typical page output escaping, htmlspecialchars() is usually enough.
Use htmlentities() when you need full entity encoding of symbols and accented characters—for example, storing or transporting text where every applicable character must become an entity. For standard XSS prevention in HTML output, htmlspecialchars() is the common choice.
When true (default), existing entities like &copy; are encoded again to &amp;copy;. When false, already-encoded entities are left unchanged—useful when input may contain partial entity encoding.
Use html_entity_decode() with matching flags and UTF-8 encoding: html_entity_decode($encoded, ENT_QUOTES, 'UTF-8'). Match the same ENT flags used during encoding.

Explore More PHP String Functions

Continue with htmlspecialchars_decode(), htmlspecialchars(), and the rest of the string function reference.

Next: htmlspecialchars_decode() →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

6 people found this page helpful