PHP htmlspecialchars_decode() Function

Beginner
⏱️ 7 min read
📚 Updated: Jul 2026
🎯 5 Examples
String Functions

What You’ll Learn

The htmlspecialchars_decode() function reverses htmlspecialchars(), turning entities like &lt; and &amp; back into < and &. It decodes only the special character subset—not every HTML entity.

01

Special Decode

&, <, >, quotes.

02

ENT Flags

Match encode step.

03

htmlspecialchars

Inverse encode pair.

04

vs html_entity

Subset vs full set.

05

Two Parameters

No encoding arg.

06

XSS Safety

Decode with care.

Definition and Usage

In PHP, htmlspecialchars_decode() is the decoding counterpart of htmlspecialchars(). It converts these entities back to characters: &amp;, &lt;, &gt;, and quote entities (depending on flags). Named symbols like &copy; are not decoded—use html_entity_decode() for those.

💡
Beginner Tip

If your text was encoded with htmlspecialchars($text, ENT_QUOTES, 'UTF-8'), decode with htmlspecialchars_decode($text, ENT_QUOTES) using the same ENT flags. Do not use html_entity_decode() unless the text was encoded with htmlentities().

📝 Syntax

The function accepts a string and optional flags (no encoding parameter):

PHP
string htmlspecialchars_decode(
    string $string,
    int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
)

Parameters

  • $string — the input string containing special HTML entities to decode.
  • $flags — bitmask controlling quote decoding and document type: ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, ENT_HTML401, ENT_HTML5, etc.

Return Value

Returns the decoded string with special entities converted back to characters.

⚡ Quick Reference

Basic decode
htmlspecialchars_decode($s, ENT_QUOTES)

Standard pattern

Roundtrip
htmlspecialchars_decode(htmlspecialchars($s, ENT_QUOTES, 'UTF-8'), ENT_QUOTES)

Restore original

Full entities
html_entity_decode($s, ENT_QUOTES, 'UTF-8')

For htmlentities()

Safe output
htmlspecialchars($decoded, ENT_QUOTES, 'UTF-8')

Re-escape for HTML

Examples Gallery

Run these examples in PHP 5.1+. Each demonstrates a common pattern beginners encounter with htmlspecialchars_decode().

📚 Getting Started

Decode tag entities back into angle brackets.

Example 1 — Decode Encoded HTML Tags

Start with an entity-encoded string (as produced by htmlspecialchars()).

PHP
<?php
$htmlString = "&lt;p&gt;This is a &lt;b&gt;bold&lt;/b&gt; paragraph.&lt;/p&gt;";
$decoded    = htmlspecialchars_decode($htmlString, ENT_QUOTES);

echo "Encoded: $htmlString\n";
echo "Decoded: $decoded\n";
?>

How It Works

&lt; becomes < and &gt; becomes >. The decoded string contains real HTML markup—treat it carefully if the source is untrusted.

Example 2 — Roundtrip with htmlspecialchars()

Encode with htmlspecialchars(), decode with matching flags, and restore the original.

PHP
<?php
$original = 'Say "Hello" & <welcome>';
$encoded  = htmlspecialchars($original, ENT_QUOTES, 'UTF-8');
$decoded  = htmlspecialchars_decode($encoded, ENT_QUOTES);

echo "Encoded: $encoded\n";
echo "Decoded: $decoded\n";
echo "Match:   " . ($original === $decoded ? "yes\n" : "no\n");
?>

How It Works

Encoding uses three parameters (including UTF-8); decoding uses two. Match the ENT flags on both sides for a perfect roundtrip.

📈 Practical Patterns

Compare decoders, control quote flags, and render safely.

Example 3 — htmlspecialchars_decode() vs html_entity_decode()

Only the full decoder converts symbol entities like &copy;.

PHP
<?php
$encoded = "Tom &amp; Jerry &copy; 2026";

$special = htmlspecialchars_decode($encoded, ENT_QUOTES);
$full    = html_entity_decode($encoded, ENT_QUOTES, 'UTF-8');

echo "htmlspecialchars_decode: $special\n";
echo "html_entity_decode:      $full\n";
?>

How It Works

Both decode &amp; to &. Only html_entity_decode() converts &copy; to ©. Pick the decoder that matches how the text was encoded.

Example 4 — ENT_QUOTES vs ENT_NOQUOTES

Control whether quote entities are decoded (from the PHP manual pattern).

PHP
<?php
$str = "&lt;p&gt;this -&gt; &quot;hi&quot;&lt;/p&gt;";

echo htmlspecialchars_decode($str, ENT_QUOTES) . "\n";
echo htmlspecialchars_decode($str, ENT_NOQUOTES) . "\n";
?>

How It Works

ENT_QUOTES decodes &quot; to a literal double quote. ENT_NOQUOTES leaves quote entities unchanged while still decoding < and >.

Example 5 — Decode for Processing, Escape for Display

Safe workflow when handling stored escaped user content.

PHP
<?php
$stored = "&lt;em&gt;Hello&lt;/em&gt; &amp; welcome";

// Process as plain text (search, trim, etc.)
$plain = htmlspecialchars_decode($stored, ENT_QUOTES);
$clean = strip_tags($plain);

// Safe for HTML output
$safeHtml = htmlspecialchars($clean, ENT_QUOTES, 'UTF-8');

echo "Plain: $plain\n";
echo "Clean: $clean\n";
echo "Safe:  $safeHtml\n";
?>

How It Works

Decoding exposes raw characters for processing. Before echoing into a web page, run the result through htmlspecialchars() again (or use a trusted HTML sanitizer if markup is allowed).

🚀 Common Use Cases

  • Reverse htmlspecialchars storage — decode text that was escaped before saving to a database.
  • Form editing — show escaped values as readable text in admin or edit screens (then re-escape on save/display).
  • Search indexing — convert escaped snippets to plain characters for matching.
  • Debugging — inspect what htmlspecialchars() produced by reversing it.
  • API responses — decode escaped fields when the consumer expects plain text, not HTML entities.

🧠 How htmlspecialchars_decode() Works

1

You pass an encoded string

Input contains special entities (&amp;, &lt;, &gt;, quotes) plus ENT flags.

Input
2

PHP maps entities to characters

Only the HTML_SPECIALCHARS subset is decoded—the same set htmlspecialchars() encodes.

Transform
3

Quote handling per flags

ENT_QUOTES decodes both quote types; ENT_NOQUOTES leaves them encoded.

Flags
=

Decoded string

Literal characters ready for processing—re-escape before HTML display.

📝 Notes

  • Inverse of htmlspecialchars(), not htmlentities() (use html_entity_decode() for that).
  • No $encoding parameter—only string and flags (unlike the encode function).
  • Default flags changed in PHP 8.1 to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
  • Does not decode named symbol entities such as &copy; or &euro;.
  • Decoding untrusted input and echoing raw HTML can reintroduce XSS vulnerabilities.

Conclusion

The htmlspecialchars_decode() function reverses htmlspecialchars() encoding for the special character subset. Match ENT flags to your encode step, and choose html_entity_decode() only when the source was encoded with htmlentities().

Decode when you need plain characters for processing; re-escape with htmlspecialchars() before rendering user content in HTML.

💡 Best Practices

✅ Do

  • Match decode flags to the original htmlspecialchars() call
  • Use html_entity_decode() only for htmlentities() output
  • Re-escape with htmlspecialchars() before HTML display
  • Pass ENT_QUOTES explicitly for predictable behavior
  • Decode for text processing, not as a display shortcut

❌ Don’t

  • Echo decoded user input directly into HTML pages
  • Assume it decodes all HTML entities (©, €, etc.)
  • Confuse it with urldecode() for query strings
  • Double-decode strings already in plain text
  • Rely on default flags across different PHP versions without testing

Key Takeaways

Knowledge Unlocked

Five things to remember about htmlspecialchars_decode()

Use these points whenever you decode special HTML entities in PHP.

5
Core concepts
🛠 02

Two Parameters

String + ENT flags.

Syntax
🛡 03

htmlspecialchars

Encode / decode pair.

Related
📈 04

Not html_entity

Subset decoder only.

Compare
05

Re-escape Output

Prevent XSS.

Security

❓ Frequently Asked Questions

htmlspecialchars_decode() converts special HTML entities back to their characters. It reverses htmlspecialchars() and decodes only &, <, >, and quote entities—not the full symbol set that html_entity_decode() handles.
string htmlspecialchars_decode(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401). Pass the encoded string and optional ENT_* flags. There is no encoding parameter—unlike htmlspecialchars() and html_entity_decode().
htmlspecialchars_decode() reverses htmlspecialchars() and decodes only the core special characters (&, <, >, quotes). html_entity_decode() reverses htmlentities() and also decodes named symbols like &copy; and &euro;.
Match the flags used during encoding. ENT_QUOTES decodes both single and double quote entities. ENT_COMPAT decodes double quotes only. ENT_NOQUOTES leaves quote entities unchanged.
Only if you re-escape before output or use the decoded text outside HTML. Decoding &lt;script&gt; back to a real tag and echoing it raw enables XSS. Decode for processing; use htmlspecialchars() when rendering to the page.
The default $flags value changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401. Explicitly pass flags so behavior stays predictable across PHP versions.

Explore More PHP String Functions

Continue with htmlspecialchars(), implode(), and the rest of the string function reference.

Next: htmlspecialchars() →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

6 people found this page helpful