The Codex description of these two functions:
wp_specialchars: Converts a number of special characters into their
HTML entities. Specifically deals with: &, <, >, “, and ‘.
wp_specialchars_decode: Converts a number of HTML entities into
their special characters.
According to
http://codex.wordpress.org/Function_Reference/wp_specialchars
This function is deprecated as of WordPress 2.8.0. Please use esc_html
instead.
You don’t want to have special characters in your html output, so you would rather not use wp_specialchars_decode for that.
There is a special function called esc_js() that you should consider
http://codex.wordpress.org/Function_Reference/esc_js
The source code for this function can be found here:
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/formatting.php#L2641
/**
2641 * Escape single quotes, htmlspecialchar " < > &, and fix line endings.
2642 *
2643 * Escapes text strings for echoing in JS. It is intended to be used for inline JS
2644 * (in a tag attribute, for example onclick="..."). Note that the strings have to
2645 * be in single quotes. The filter 'js_escape' is also applied here.
2646 *
2647 * @since 2.8.0
2648 *
2649 * @param string $text The text to be escaped.
2650 * @return string Escaped text.
2651 */
2652 function esc_js( $text ) {
2653 $safe_text = wp_check_invalid_utf8( $text );
2654 $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
2655 $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
2656 $safe_text = str_replace( "\r", '', $safe_text );
2657 $safe_text = str_replace( "\n", '\\n', addslashes( $safe_text ) );
2658 return apply_filters( 'js_escape', $safe_text, $text );
2659 }
Here is a good data validation overview: