When must I HTML-encode user input?

Any time user-controlled data is placed inside HTML element content, attribute values, or JavaScript string literals. Skipping this step enables XSS attacks where attackers inject and execute malicious scripts.

What is the difference between named and numeric HTML entities?

Named entities like & are defined in the HTML specification and are more readable. Numeric entities like & work for any Unicode code point and are supported even by old parsers that do not recognize all named entities.

Do I need to encode inside JavaScript strings in HTML?

Yes, with a different encoding. In JSON/JavaScript contexts, use \u escape sequences or JSON.stringify to escape. Raw HTML encoding inside script tags does not prevent JavaScript injection.

HTML Entity Encoding Examples

HTML entity encoding converts characters that have special meaning in HTML into safe text representations that browsers render as-is without parsing them as markup. The five most critical characters to encode are <, >, &, ", and ' — the raw forms enable Cross-Site Scripting (XSS) attacks when user input is inserted into HTML without escaping. This collection shows the named and numeric entity forms for common symbols and the XSS-sensitive characters. Always HTML-encode user-provided content before inserting it into HTML contexts.

Example

# XSS-sensitive characters (always encode)
< → &lt;
> → &gt;
& → &amp;
" → &quot;
' → &#39;

# Common symbols
© → &copy;
® → &reg;
™ → &trade;
€ → &euro;
£ → &pound;
— → &mdash;
… → &hellip;
✓ → &#10003;

[ open in HTML Encode → ]

FAQ

When must I HTML-encode user input?: Any time user-controlled data is placed inside HTML element content, attribute values, or JavaScript string literals. Skipping this step enables XSS attacks where attackers inject and execute malicious scripts.
What is the difference between named and numeric HTML entities?: Named entities like & are defined in the HTML specification and are more readable. Numeric entities like & work for any Unicode code point and are supported even by old parsers that do not recognize all named entities.
Do I need to encode inside JavaScript strings in HTML?: Yes, with a different encoding. In JSON/JavaScript contexts, use \u escape sequences or JSON.stringify to escape. Raw HTML encoding inside script tags does not prevent JavaScript injection.

Related Examples

URL-Encode Special Characters

URL encoding (percent-encoding) converts characters that are not allowed in URLs...

Unicode and Emoji Encoding

Unicode assigns a unique code point (U+XXXX) to every character in every human w...

Inspect a Content Security Policy Header

Content Security Policy is the primary browser-enforced defense against Cross-Si...