What does vertical bar | mean in php documentation?

Question

The php docs page on htmlspecialchars mentions:

The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.

My knowledge of | in programming documentations is only this MDN explanation of its use in css docs. This seems to be not applicable in php documentation, as $flags can be left blank in htmlspecialchars().

In php htmlspecialchars, I noticed that, without mentioning the flag, it does not convert single quotes into &#039. This certainly implies, ENT_QUOTES is not the default value.

So, what does | mean in php documentation, and what is the default value of $flags in htmlspecialchars?

Answer 1

It is a bitwise OR.

It combines a set of options (internally expressed as numbers) into a single value that means "All of these options combined".

---

Let's look at how that works.

Consider that you might have flags:

FLAG_A = 1
FLAG_B = 2
FLAG_C = 4

In binary that would be

FLAG_A = 001
FLAG_B = 010
FLAG_C = 100

So if you had

FLAG_A | FLAG_C

You'd get 101 and that could be compared successfully to FLAG_A or FLAG_C.

In decimal it is represented as 5, but the point of flags like these is to store a combination of yes/no options in a compact form.

Here's a practical example in JS (this kind of bitwise logic is foundational to computer programming so works the same in most languages).

const FLAG_A = 0b001;
const FLAG_B = 0b010;
const FLAG_C = 0b100;

const ACTIVE_FLAGS = FLAG_A | FLAG_C;

console.log(Boolean(FLAG_A & ACTIVE_FLAGS));
console.log(Boolean(FLAG_B & ACTIVE_FLAGS));
console.log(Boolean(FLAG_C & ACTIVE_FLAGS));

---

Re your comment

however, I don't know the inbuilt values of these flags. What is the value of ENT_QUOTES - 0,1 or 101? And what would be the resultant of ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401 in empty htmlspecialchars($str)?

The actual values don't matter. You can consider them internal to PHP. You only need to worry about the constants.

ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401 is the default, so those three options are all turned on.

The documentation tells you that ENT_QUOTES means "Will convert both double and single quotes..". So you know that that is how the function will work by default. (Along with whatever it says about the other two options that are turned on).

And in htmlspecialchars($string, ENT_COMPAT,'ISO-8859-1', true); would the other two defaults are already present?

No. If you pass a different set of values for the options, you change the defaults.

If you say ENT_COMPAT then that turns ENT_COMPAT on and everything else off.