<?php
//
// What ENT_* should I use for htmlspecialchars?
//
$text = '&"\'<> ';
// This is insecure!
echo "DEFAULT: " . htmlspecialchars($text, ENT_HTML401 | ENT_COMPAT, 'UTF-8') . "\n";
// This is insecure!
echo "ENT_HTML5: " . htmlspecialchars($text, ENT_HTML5, 'UTF-8') . "\n";
// This is good
echo "ENT_QUOTES: " . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . "\n";