I'm using values entered in a form to send an email using the mail() function. When the form is posted, I apply the htmlspecialchars() function to the values. The problem comes when I send the email: The HTML entities don't get translated in the email. I've considered decoding the values before I use them in the email, but wouldn't that open me up to the security problems the encoding was meant to avoid?