The htmlspecialchars_decode() function reverses htmlspecialchars(), turning entities like < and & back into < and &. It decodes only the special character subset—not every HTML entity.
If your text was encoded with htmlspecialchars($text, ENT_QUOTES, 'UTF-8'), decode with htmlspecialchars_decode($text, ENT_QUOTES) using the same ENT flags. Do not use html_entity_decode() unless the text was encoded with htmlentities().
Foundation
📝 Syntax
The function accepts a string and optional flags (no encoding parameter):
Decoding exposes raw characters for processing. Before echoing into a web page, run the result through htmlspecialchars() again (or use a trusted HTML sanitizer if markup is allowed).
Applications
🚀 Common Use Cases
Reverse htmlspecialchars storage — decode text that was escaped before saving to a database.
Form editing — show escaped values as readable text in admin or edit screens (then re-escape on save/display).
Search indexing — convert escaped snippets to plain characters for matching.
Debugging — inspect what htmlspecialchars() produced by reversing it.
API responses — decode escaped fields when the consumer expects plain text, not HTML entities.
🧠 How htmlspecialchars_decode() Works
1
You pass an encoded string
Input contains special entities (&, <, >, quotes) plus ENT flags.
Input
2
PHP maps entities to characters
Only the HTML_SPECIALCHARS subset is decoded—the same set htmlspecialchars() encodes.
Transform
3
Quote handling per flags
ENT_QUOTES decodes both quote types; ENT_NOQUOTES leaves them encoded.
Flags
=
📝
Decoded string
Literal characters ready for processing—re-escape before HTML display.
Important
📝 Notes
Inverse of htmlspecialchars(), not htmlentities() (use html_entity_decode() for that).
No $encoding parameter—only string and flags (unlike the encode function).
Default flags changed in PHP 8.1 to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
Decoding untrusted input and echoing raw HTML can reintroduce XSS vulnerabilities.
Wrap Up
Conclusion
The htmlspecialchars_decode() function reverses htmlspecialchars() encoding for the special character subset. Match ENT flags to your encode step, and choose html_entity_decode() only when the source was encoded with htmlentities().
Decode when you need plain characters for processing; re-escape with htmlspecialchars() before rendering user content in HTML.
Rely on default flags across different PHP versions without testing
Summary
Key Takeaways
Knowledge Unlocked
Five things to remember about htmlspecialchars_decode()
Use these points whenever you decode special HTML entities in PHP.
5
Core concepts
🔄01
Special Decode
&, <, >, quotes.
Purpose
🛠02
Two Parameters
String + ENT flags.
Syntax
🛡03
htmlspecialchars
Encode / decode pair.
Related
📈04
Not html_entity
Subset decoder only.
Compare
⚠05
Re-escape Output
Prevent XSS.
Security
❓ Frequently Asked Questions
htmlspecialchars_decode() converts special HTML entities back to their characters. It reverses htmlspecialchars() and decodes only &, <, >, and quote entities—not the full symbol set that html_entity_decode() handles.
string htmlspecialchars_decode(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401). Pass the encoded string and optional ENT_* flags. There is no encoding parameter—unlike htmlspecialchars() and html_entity_decode().
Match the flags used during encoding. ENT_QUOTES decodes both single and double quote entities. ENT_COMPAT decodes double quotes only. ENT_NOQUOTES leaves quote entities unchanged.
Only if you re-escape before output or use the decoded text outside HTML. Decoding <script> back to a real tag and echoing it raw enables XSS. Decode for processing; use htmlspecialchars() when rendering to the page.
The default $flags value changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401. Explicitly pass flags so behavior stays predictable across PHP versions.