The htmlspecialchars() function in PHP is used to convert special characters to HTML entities. This is commonly used to prevent Cross-Site Scripting (XSS) attacks by making sure that HTML tags or JavaScript code entered by users are displayed as text and not executed by the browser.

🔐 Why use it?

To make sure that:

• <, >, " and ' are not interpreted as HTML or JavaScript.
• User-generated content is safely displayed in the browser.

🧪 Example:

$user_input = "<script>alert('XSS');</script>";
$safe_output = htmlspecialchars($user_input);

echo $safe_output;
// Output: &lt;script&gt;alert(&#039;XSS&#039;);&lt;/script&gt;

🏷️ Common Flags:

📝 Notes:

• Always use htmlspecialchars() when displaying user input in HTML.
• Use htmlspecialchars_decode() if you need to revert the conversion.