htmlspecialchars_decode()

(PHP 5 >= 5.1.0, PHP 7)

将特殊的 HTML 实体转换回普通字符

说明

此函数的作用和htmlspecialchars()刚好相反。它将特殊的HTML实体转换回普通字符。

被转换的实体有：&，"（没有设置ENT_NOQUOTES时）,'（设置了ENT_QUOTES时），<以及>。

参数

要解码的字符串

用下列标记中的一个或多个作为一个位掩码，来指定如何处理引号和使用哪种文档类型。默认为ENT_COMPAT | ENT_HTML401。

返回值

返回解码后的字符串。

更新日志

范例

一个htmlspecialchars_decode()的例子

以上例程会输出：

this -> "
this -> "

参见

• htmlspecialchars()将特殊字符转换为 HTML 实体
• html_entity_decode()Convert HTML entities to their corresponding characters
• get_html_translation_table()返回使用 htmlspecialchars 和 htmlentities 后的转换表

This should be the best way to do it.
(Reposted because the other one seems a bit slower and because those who used the code under called it htmlspecialchars_decode_php4)

The example for "htmlspecialchars_decode()" below sadly does not work for all PHP4 versions.
Quote from the PHP manual:
"get_html_translation_table() will return the translation table that is used internally for htmlspecialchars() and htmlentities()."
But it does NOT! At least not for PHP version 4.4.2.
This was already reported in a bug report (http://bugs.php.net/bug.php?id=25927), but it was marked as BOGUS.
Proof:
 Code:
--------------------

--------------------
 Output:
--------------------
array
 '"' => '"'
 ''' => '''
 '' => '>'
 '&' => '&'
'''
--------------------
This comment now is not to report this bug again (though I really believe it is one), but to complete the example and warn people of this pitfall.
To make sure your htmlspecialchars_decode fake for PHP4 works, you should do something like this:

Br, Thomas

that works also with ä and " and so on.
get_html_translation_table(HTML_ENTITIES) => offers more characters than HTML_SPECIALCHARS
function htmlspecialchars_decode_PHP4($uSTR)
{
 return strtr($uSTR, array_flip(get_html_translation_table(HTML_ENTITIES, ENT_QUOTES)));
}

If you use `htmlspecialchars()` to change things like the ampersand (&) into it's HTML equivalent (&), you might run into a situation where you mistakenly pass the same string to the function twice, resulting in things appearing on your website like, as I call it, the ampersanded amp; "&". Clearly nobody want's "&" on his or her web page where there is supposed to be just an ampersand. Here's a quick and easy trick to make sure this doesn't happen:

Now, if your dealing with text that is a mixed bag (has HTML entities and non-HTML entities) you're on your own.

Keep in mind that you should never trust user input - particularly for "mixed-bag" input containing a combination of plain text and markup or scripting code.
Why?
Well, consider someone sending '&alert('XSS');' to your PHP script:

鹏仔微信 15129739599 鹏仔QQ344225443 鹏仔前端 pjxi.com 共享博客 sharedbk.com