felgall is right, but perhaps you were wanting to use http://php.net/manual/en/function.strip-tags.php (to remove html tags) instead of htmlspecialchars() but that isn’t necessary in a mail() function, at least I don’t think there’s a security breach possible. Removing html tags is mostly when you want to output user input (not safe) on your webpage.