I noticed the following behavior when working with htmlspecialchars in php version 7.0.3:
php > echo htmlspecialchars('"');
"
php > echo htmlspecialchars('"', ENT_SUBSTITUTE);
"
php > echo htmlspecialchars('"', ENT_QUOTES | ENT_SUBSTITUTE);
"
We would like to escape double-quotes while also using the ENT_SUBSTITUTE flag. Notice that the double-quote does not get escaped when using only the ENT_SUBSTITUTE flag.
Is the ENT_QUOTES flag required with ENT_SUBSTITUTE if we want to escape double quotes? Why is this?
The documentation for htmlspecialchars does not say that ENT_QUOTES is required when using ENT_SUBSTITUTE. In fact, it seems to suggest the opposite – double-quotes should always get escaped unless the ENT_NOQUOTES flag is present.
ENT_COMPAT | ENT_HTML401 is the default value for the $flags parameter. When you pass ENT_SUBSTITUTE instead, you're overriding the default. It is now not applying ENT_COMPAT anymore, which is responsible for the quotes. If you want to add ENT_SUBSTITUTE to the default parameters, you should correctly write:
htmlspecialchars('"', ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE)