2026-06-07 · 4 min read
- html
- security
HTML reserves characters like < and &. User-generated text must be entity-encoded before insertion into templates, or browsers may interpret input as markup—a classic cross-site scripting vector.
Characters to encode
Encode at output time in your templating layer, not only at input storage.
- & → &
- < → <
- > → >
- " → " in attributes
Named vs numeric entities
Named entities (©) are readable; numeric (©) work for arbitrary Unicode. Decoding entities helps when scraping or migrating CMS content.