For example, tags such as < and > are among the most widely used characters in HTML. Although they do not pose any threats on their own, when misused, they can break the entire web page.
Such HTML characters also stance a significant security flaw, especially in dynamic web applications. This can lead to the injection of malicious code such as JavaScript and form data.
The essence of this guide is to show you how you can use PHP to encode or “sanitize” HTML characters. Encoding such characters in dynamic websites will prevent Cross-Site Scripting and protect the web page from breaking.
What is Encoding?
Encoding refers to the process of converting reserved characters into HTML character entities. HTML character entities are expressed as &value; where the “value” represents an abbreviation or number for each character.
HTML offers a comprehensive collection of entities. However, we need only concern ourselves with four of them for encoding purposes:
- < – <
- > – >
- & – &
- = – "
Let us learn how we can use PHP to encode such characters.
PHP Encoding Functions
PHP has two main functions that you can use to encode HTML characters.
- Htmlspecialchars()
- Htmlentities()
The htmlspecialchars() functions encode the four main characters (above) while the htmentities() function will encode all the characters as possible.
Let us learn how to use the two functions.
PHP htmlspecialchars()
This function converts all special or reserved HTML characters to HTML entities. Although you can specify, the function will ignore single quotes by default.
The general syntax of the function is as shown:
The function accepts the string containing the HTML to be encoded. You can also specify flag values that allow you to tweak how the method operates.
PHP also allows you to specify the encoding method you wish to use for the HTML entities. The following image shows the supported charsets.
The following example shows how to use the htmlspecialchars() method.
The above example will encode the HTML characters specified in the variable $str.
The output is as shown:
If you want the function to process single and double quotes, you can use a flag as shown in the example below:
$str = "A single quote as 'and' will be ignored by default ";
echo htmlspecialchars($str, ENT_QUOTES);
?>
Once you run the above code, the function will process the single quotes and give an output as shown:
A single quote as 'and' will be ignored by default
PHP htmlentities()
We will look at the next encoding character is the PHP htmlentities(). This function converts all applicable HTML characters to HTML entities. It is a perfect choice when you need to process your HTML safely.
The general syntax of the function is as shown:
The function is very similar to htmlspecialchars() except it processes all characters it can by default.
The following example shows you how to use the htmlentities() function.
The above code should return all the tags converted to entities as:
Similar to the htmlspecialchars() function, it supports flags and encoding charset. Check the documentation to discover more.
Conclusion
In this guide, you learned how the basics of HTML character encoding. You also learned how to use PHP to convert HTML characters into HTML entities.
Thank you for reading and stay tuned for more.
