Php html decode special characters

(PHP 5 >= 5.1.0, PHP 7, PHP 8)

htmlspecialchars_decode — Convert special HTML entities back to characters

Description

htmlspecialchars_decode(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401): string

The converted entities are: &, " (when ENT_NOQUOTES is not set), ' (when ENT_QUOTES is set), < and >.

Parameters

The string to decode.

A bitmask of one or more of the following flags, which specify how to handle quotes and which document type to use. The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.

Return Values

Returns the decoded string.

Changelog

Examples

Example #1 A htmlspecialchars_decode() example

$str = "

this -> "

echo

The above example will output:

this -> "
this -> "

See Also

• htmlspecialchars() - Convert special characters to HTML entities
• html_entity_decode() - Convert HTML entities to their corresponding characters
• get_html_translation_table() - Returns the translation table used by htmlspecialchars and htmlentities

thomas at xci[ignore_this]teit dot commm ¶

14 years ago

The example for "htmlspecialchars_decode()" below sadly does not work for all PHP4 versions.

Quote from the PHP manual:
"get_html_translation_table() will return the translation table that is used internally for htmlspecialchars() and htmlentities()."

But it does NOT! At least not for PHP version 4.4.2.
This was already reported in a bug report (http://bugs.php.net/bug.php?id=25927), but it was marked as BOGUS.

Proof:
  Code:
--------------------
    var_dump(get_html_translation_table(HTML_SPECIALCHARS,ENT_QUOTES));
    var_dump(htmlspecialchars('\'',ENT_QUOTES));
?>
--------------------

  Output:
--------------------
array
  '"' => '"'
  ''' => '''
  '<' => '<'
  '>' => '>'
  '&' => '&'

'''
--------------------

This comment now is not to report this bug again (though I really believe it is one), but to complete the example and warn people of this pitfall.

To make sure your htmlspecialchars_decode fake for PHP4 works, you should do something like this:

    function htmlspecialchars_decode($string,$style=ENT_COMPAT)
    {
        $translation = array_flip(get_html_translation_table(HTML_SPECIALCHARS,$style));
        if($style === ENT_QUOTES){ $translation['''] = '\''; }
        return strtr($string,$translation);
    }
?>

Br, Thomas

Anonymous ¶

16 years ago

This should be the best way to do it.
(Reposted because the other one seems a bit slower and because those who used the code under called it htmlspecialchars_decode_php4)

if ( !function_exists('htmlspecialchars_decode') )
{
    function htmlspecialchars_decode($text)
    {
        return strtr($text, array_flip(get_html_translation_table(HTML_SPECIALCHARS)));
    }
}?>

or-k at or-k dot com ¶

16 years ago

that works also with ä and " and so on.
get_html_translation_table(HTML_ENTITIES) => offers more characters than HTML_SPECIALCHARS

function htmlspecialchars_decode_PHP4($uSTR)
{
return strtr($uSTR, array_flip(get_html_translation_table(HTML_ENTITIES, ENT_QUOTES)));
}

pinkgothic at gmail dot com ¶

12 years ago

Keep in mind that you should never trust user input - particularly for "mixed-bag" input containing a combination of plain text and markup or scripting code.

Why?

Well, consider someone sending '&' to your PHP script:

$var = "&";
$var = (htmlspecialchars_decode($var) == $var) ? htmlspecialchars($var) : $var;
echo $var;
?>

Since '&' decodes into '&', (htmlspecialchars_decode($var) == $var) will be -false-, thus returning $var without that it's escaped. In consequence, the script-tags are untouched, and you've just opened yourself to XSS.

There is, unfortunately, no reliable way to determine whether HTML is escaped or not that does not come with this caveat that I know of. Rather than try and catch the case 'I've already encoded this', you are better off avoiding double-escaping by simply escaping the HTML as close to the actual output as you can muster, e.g. in the view in an MVC development structure.

benharold at mac dot com ¶

13 years ago

If you use `htmlspecialchars()` to change things like the ampersand (&) into it's HTML equivalent (&), you might run into a situation where you mistakenly pass the same string to the function twice, resulting in things appearing on your website like, as I call it, the ampersanded amp; "&". Clearly nobody want's "&" on his or her web page where there is supposed to be just an ampersand. Here's a quick and easy trick to make sure this doesn't happen:

$var

geoffers@gmail ¶

17 years ago

[Update of previous note, having noticed I forgot to put in quote style]

PHP4 Compatible function:

function htmlspecialchars_decode_php4 ($str, $quote_style = ENT_COMPAT) {
    return strtr($str, array_flip(get_html_translation_table(HTML_SPECIALCHARS, $quote_style)));
}?>

benharold at mac dot com ¶

13 years ago

or of course:

$var

geoffers at gmail dot com ¶

17 years ago

For PHP4 Compatibility:

function htmlspecialchars_decode_php4 ($str) {
    return strtr($str, array_flip(get_html_translation_table(HTML_SPECIALCHARS)));
}?>