htmlspecialchars

htmlentities

[edit] Last updated: Fri, 10 Feb 2012

htmlspecialchars_decode

(PHP 5 >= 5.1.0)

htmlspecialchars_decode — Convertit les entités HTML spéciales en caractères

Description

string htmlspecialchars_decode ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 ] )

Cette fonction est l'opposée de htmlspecialchars(). Elle convertit les entités HTML spéciales en caractères.

Les entités converties sont : &, " (lorsque ENT_NOQUOTES n'est pas activée), ' (lorsque ENT_QUOTES est activée), < et >.

Liste de paramètres

string

La chaîne de caractères à décoder

flags

Un masque d'un ou plusieurs drapeaux suivants, qui spécifient la façon dont doit être géré les guillemets et quel type de document à utiliser. Par défaut, ce sera ENT_COMPAT | ENT_HTML401.

**Constantes pour le paramètre *`flags`* disponibles**
Nom de la Constante	Description
`ENT_COMPAT`	Convertira les guillemets et laissera les apostrophes.
`ENT_QUOTES`	Convertira les guillemets et les apostrophes.
`ENT_NOQUOTES`	Laissera les guillemets et les apostrophes non convertis.
`ENT_HTML401`	Gère le code comme étant du HTML 4.01.
`ENT_XML1`	Gère le code comme étant du XML 1.
`ENT_XHTML`	Gère le code comme étant du XHTML.
`ENT_HTML5`	Gère le code comme étant du HTML 5.

Valeurs de retour

Retourne la chaîne de caractères décodée.

Historique

Version	Description
5.4.0	Les constantes `ENT_HTML401`, `ENT_XML1`, `ENT_XHTML` et `ENT_HTML5` ont été ajoutées.

Exemples

Exemple #1 Exemple avec htmlspecialchars_decode()


<?php
$str = '<p>this -&gt; &quot;</p>';

echo htmlspecialchars_decode($str);

// notez ici que les guillemets ne sont pas convertis
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>

L'exemple ci-dessus va afficher :

<p>this -> "</p>
<p>this -> &quot;</p>

Voir aussi

htmlspecialchars() - Convertit les caractères spéciaux en entités HTML
html_entity_decode() - Convertit toutes les entités HTML en caractères normaux
get_html_translation_table() - Retourne la table de traduction des entités utilisée par htmlspecialchars et htmlentities

htmlspecialchars

htmlentities

[edit] Last updated: Fri, 10 Feb 2012

add a note User Contributed Notes htmlspecialchars_decode

selimx at live dot com 20-Apr-2011 02:35


this function 





<?php


function htmlkarakter($string)


{


   $string = str_replace(array("&lt;", "&gt;", '&amp;', '&#039;', '&quot;','&lt;', '&gt;'), array("<", ">",'&','\'','"','<','>'), htmlspecialchars_decode($string, ENT_NOQUOTES));





       return $string;


   


} 


?>





Before


<description>&lt;div class=&quot;google-ad1&quot;&gt;


  &lt;script type=&#039;text/javascript&#039;&gt;


    GA_googleFillSlot(&quot;EW_News_300x250&quot;);


  &lt;/script&gt;





&lt;/div&gt;





after using the function





<div class="google-ad1">


  <script type='text/javascript'>


    GA_googleFillSlot("EW_News_300x250");


  </script>

pinkgothic at gmail dot com 10-Jun-2010 09:24


Keep in mind that you should never trust user input - particularly for "mixed-bag" input containing a combination of plain text and markup or scripting code.





Why?





Well, consider someone sending '&amp;<script>alert('XSS');</script>' to your PHP script:





<?php


$var = "&amp;<script>alert('XSS');</script>";


$var = (htmlspecialchars_decode($var) == $var) ? htmlspecialchars($var) : $var;


echo $var;


?>





Since '&amp;' decodes into '&', (htmlspecialchars_decode($var) == $var) will be -false-, thus returning $var without that it's escaped. In consequence, the script-tags are untouched, and you've just opened yourself to XSS.





There is, unfortunately, no reliable way to determine whether HTML is escaped or not that does not come with this caveat that I know of. Rather than try and catch the case 'I've already encoded this', you are better off avoiding double-escaping by simply escaping the HTML as close to the actual output as you can muster, e.g. in the view in an MVC development structure.

benharold at mac dot com 26-Jan-2009 04:48


or of course:



<?php



$var = "Blue & yellow make green.";



$var = (htmlspecialchars_decode($var) == $var) ? htmlspecialchars($var) : $var;

echo $var; // outputs Blue &amp; yellow make green.



// you can do it a bunch of times, it still won't screw you!



$var = (htmlspecialchars_decode($var) == $var) ? htmlspecialchars($var) : $var;

$var = (htmlspecialchars_decode($var) == $var) ? htmlspecialchars($var) : $var;

echo $var; // still outputs Blue &amp; yellow make green.



?>



Put it in a function. Add it to the method of some abstract data class.

benharold at mac dot com 26-Jan-2009 01:30


If you use `htmlspecialchars()` to change things like the ampersand (&) into it's HTML equivalent (&amp;), you might run into a situation where you mistakenly pass the same string to the function twice, resulting in things appearing on your website like, as I call it, the ampersanded amp; "&amp;". Clearly nobody want's "&amp;" on his or her web page where there is supposed to be just an ampersand. Here's a quick and easy trick to make sure this doesn't happen:



<?php



$var = "This is a string that could be passed to htmlspecialchars multiple times.";



if (htmlspecialchars_decode($var) == $var) {

    $var = htmlspecialchars($var);

}



echo $var;



?>



Now, if your dealing with text that is a mixed bag (has HTML entities and non-HTML entities) you're on your own.

thomas at xci[ignore_this]teit dot commm 28-Mar-2008 03:03


The example for "htmlspecialchars_decode()" below sadly does not work for all PHP4 versions.



Quote from the PHP manual:

"get_html_translation_table() will return the translation table that is used internally for htmlspecialchars() and htmlentities()."



But it does NOT! At least not for PHP version 4.4.2.

This was already reported in a bug report (http://bugs.php.net/bug.php?id=25927), but it was marked as BOGUS.



Proof:

  Code:

--------------------

<?php

    var_dump(get_html_translation_table(HTML_SPECIALCHARS,ENT_QUOTES));

    var_dump(htmlspecialchars('\'',ENT_QUOTES));

?>

--------------------



  Output:

--------------------

array

  '"' => '&quot;'

  ''' => '&#39;'

  '<' => '&lt;'

  '>' => '&gt;'

  '&' => '&amp;'



'&#039;'

--------------------



This comment now is not to report this bug again (though I really believe it is one), but to complete the example and warn people of this pitfall.



To make sure your htmlspecialchars_decode fake for PHP4 works, you should do something like this:



<?php

    function htmlspecialchars_decode($string,$style=ENT_COMPAT)

    {

        $translation = array_flip(get_html_translation_table(HTML_SPECIALCHARS,$style));

        if($style === ENT_QUOTES){ $translation['&#039;'] = '\''; }

        return strtr($string,$translation);

    }

?>



Br, Thomas

Wout 28-Jul-2007 09:06


The following replacement for PHP 4 is a little more complete, as the quote_style is taken into account as well:



if (!function_exists("htmlspecialchars_decode")) {

    function htmlspecialchars_decode($string, $quote_style = ENT_COMPAT) {

        return strtr($string, array_flip(get_html_translation_table(HTML_SPECIALCHARS, $quote_style)));

    }

}

17-Aug-2006 05:49


This should be the best way to do it.

(Reposted because the other one seems a bit slower and because those who used the code under called it htmlspecialchars_decode_php4)



<?php



if ( !function_exists('htmlspecialchars_decode') )

{

    function htmlspecialchars_decode($text)

    {

        return strtr($text, array_flip(get_html_translation_table(HTML_SPECIALCHARS)));

    }

}



?>

TheSin 09-May-2006 02:51


Here is how you can get this function in php < 5.1, just make sure this function is before you try and call the function.



if (!function_exists('htmlspecialchars_decode')) {

        function htmlspecialchars_decode($str, $options="") {

                $trans = get_html_translation_table(HTML_SPECIALCHARS, $options);



                $decode = ARRAY();

                foreach ($trans AS $char=>$entity) {

                        $decode[$entity] = $char;

                }



                $str = strtr($str, $decode);



                return $str;

        }

}

se at designlinks dot net 14-Dec-2005 08:43


The code supplied by or-k at or-k dot com (14-Sep-2005 09:15) is better served using html_entity_decode() for PHP>=4.3.0.

geoffers@gmail (14-Jul-2005 01:38) offers the best htmlspecialchars_decode() for php4 users.

or-k at or-k dot com 14-Sep-2005 02:15


that works also with &auml; and &quot; and so on.

get_html_translation_table(HTML_ENTITIES) => offers more characters than HTML_SPECIALCHARS



function htmlspecialchars_decode_PHP4($uSTR)

{

 return strtr($uSTR, array_flip(get_html_translation_table(HTML_ENTITIES, ENT_QUOTES)));

}

geoffers@gmail 14-Jul-2005 06:38


[Update of previous note, having noticed I forgot to put in quote style]



PHP4 Compatible function:



<?php



function htmlspecialchars_decode_php4 ($str, $quote_style = ENT_COMPAT) {

    return strtr($str, array_flip(get_html_translation_table(HTML_SPECIALCHARS, $quote_style)));

}



?>

geoffers at gmail dot com 14-Jul-2005 06:30


For PHP4 Compatibility:



<?php



function htmlspecialchars_decode_php4 ($str) {

    return strtr($str, array_flip(get_html_translation_table(HTML_SPECIALCHARS)));

}



?>

add a note