Which characters need to be escaped in HTML?

If you’re inserting text content in your document in a location where text content is expected1you typically only need to escape the same characters as you would in XML. Inside of an element, this just includes the entity escape ampersand & and the element delimiter less-than and greater-than signs < >:

& becomes &amp;
< becomes &lt;
> becomes &gt;

Inside of attribute values you must also escape the quote character you’re using:

" becomes &quot;
' becomes &#39;

In some cases it may be safe to skip escaping some of these characters, but I encourage you to escape all five in all cases to reduce the chance of making a mistake.

If your document encoding does not support all of the characters that you’re using, such as if you’re trying to use emoji in an ASCII-encoded document, you also need to escape those. Most documents these days are encoded using the fully Unicode-supporting UTF-8 encoding where this won’t be necessary.

In general, you should not escape spaces as &nbsp;&nbsp; is not a normal space, it’s a non-breaking space. You can use these instead of normal spaces to prevent a line break from being inserted between two words, or to insert          extra        space       without it being automatically collapsed, but this is usually a rare case. Don’t do this unless you have a design constraint that requires it.

1 By “a location where text content is expected”, I mean inside of an element or quoted attribute value where normal parsing rules apply. For example: <p>HERE</p> or <p title="HERE">...</p>. What I wrote above does not apply to content that has special parsing rules or meaning, such as inside of a script or style tag, or as an element or attribute name. For example: <NOT-HERE>...</NOT-HERE><script>NOT-HERE</script><style>NOT-HERE</style>, or <p NOT-HERE="...">...</p>.

In these contexts, the rules are more complicated and it’s much easier to introduce a security vulnerability. I strongly discourage you from ever inserting dynamic content in any of these locations. I have seen teams of competent security-aware developers introduce vulnerabilities by assuming that they had encoded these values correctly, but missing an edge case. There’s usually a safer alternative, such as putting the dynamic value in an attribute and then handling it with JavaScript.

If you must, please read the Open Web Application Security Project’s XSS Prevention Rules to help understand some of the concerns you will need to keep in mind.

Related Posts:

  1. What do < and > stand for?
  2. How do I replicate a \t tab space in HTML?
  3. Redirect from an HTML page
  4. What is ' and why does Google search replace it with apostrophe?
  5. Should I use tag for icons instead of ? [closed]
  6. CSS Background Opacity [duplicate]
  7. What’s the difference between HTML ‘hidden’ and ‘aria-hidden’ attributes?
  8. How do I vertically align text in a div?
  9. How do I vertically center text with CSS?
  10. How do I vertically center text with CSS?
  11. What does enctype=’multipart/form-data’ mean?
  12. Set cookie and get cookie with JavaScript
  13. How do I make a hyperlink to a local executable?
  14. How do I auto-resize an image to fit a ‘div’ container?
  15. CSS `height: calc(100vh);` Vs `height: 100vh;`
  16. Custom Tumblr theme wont save because of non-https urls?
  17. Double click and run the Php script on mac
  18. CSS no text wrap
  19. mailto using javascript
  20. Bootstrap 4 Sticky Footer Not Sticking
  21. How to change css property using javascript
  22. html tables: thead vs th
  23. What is “X-Content-Type-Options=nosniff”?
  24. What is “X-Content-Type-Options=nosniff”?
  25. Rotate an image in image source in html
  26. Strange symbol shows up on website (L SEP)?
  27. How can I make a CSS glass/blur effect work for an overlay?
  28. Maintain the aspect ratio of a div with CSS
  29. Bootstrap dropdown not working
  30. What is the difference between id and class in CSS, and when should I use them?
  31. When to use instead

    ?

  32. jQuery.addClass not working
  33. How to call a PHP function on the click of a button
  34. what’s the easiest way to put space between 2 side-by-side buttons in asp.net
  35. Calculate percentage Javascript
  36. Vertically centering a div inside another div
  37. How to move image with css/html
  38. How to style the option of an html “select” element?
  39. HTML: How to center align a form
  40. How to mark-up phone numbers?
  41. CSS pick a random color from array
  42. Adding background image to div using CSS
  43. Center a DIV horizontally and vertically
  44. how to overwrite css style
  45. How can I move this text up using CSS?
  46. Multiple Forms or Multiple Submits in a Page?
  47. Target a css class inside another css class
  48. Mailto on submit button
  49. CSS float right not working correctly
  50. How can I vertically align elements in a div?
  51. How to give spacing between buttons using bootstrap
  52. Space between two rows in a table?
  53. What is the difference between
    and
  54. Make a div fill the height of the remaining screen space
  55. html5 error : Element head is missing a required instance of child element title
  56. Add image in title bar
  57. HTML input – name vs. id
  58. How to add image that is on my computer to a site in css or html?
  59. How to use PHP inside css file
  60. jQuery checkbox event handling
  61. Setting a max character length in CSS
  62. How to use the “required” attribute with a “radio” input field
  63. Local Storage vs Cookies
  64. Redirect website after specified amount of time
  65. External CSS not working
  66. How to exclude particular class name in CSS selector?
  67. How to scroll to top of a div using jQuery?
  68. HTML/CSS–Creating a banner/header
  69. How do I change the font color in an html table?
  70. Change hover color on a button with Bootstrap customization
  71. Alternate table row color using CSS?
  72. Is there a float input type in HTML5?
  73. Is there a vr (vertical rule) in html?
  74. How to view an HTML file in the browser with Visual Studio Code
  75. How to create a hidden in JavaScript?
  76. CSS “and” selector – Can I select elements that have multiple classes?
  77. How do I programmatically set the value of a select box element using JavaScript?
  78. Accessing WordPress data via JSON gives HTML data for certain keys
  79. How to prevent pages from automatically adding line breaks?
  80. How to add a button that enables the user to insert a link in a textarea located in the front-end?
  81. Firefox CSS Animations Broke [closed]
  82. Inline style HTML attribute is being stripped from all elements of a post
  83. Unfamiliar HTML Properties in Avada and Divi Themes [closed]
  84. #text at the begging of every page, before the main content block
  85. Phantom strong tags in wordpress
  86. Convert bookmarks.html file into WP posts
  87. With wp_list_category put every existing category into an option tag
  88. Https and Http for iFrame
  89. Excerpt keep stripping tags
  90. What file is the tag located in Genesis default theme?
  91. Show preview of wordpress posts on external html sever
  92. Applying metatag to single page
  93. Where to find HTML to post Adsense Code
  94. An extra is appearing in my source code–how do I diagnose the source?
  95. how add class in containers
  96. Link opens a new website instead of my own
  97. how i can change wordpress post views?
  98. Configuration Options for embedded YouTube Videos
  99. How to play a video after the end of another one via link?
  100. Moving from Microsoft Front Page 2003 to WordPress

Leave a Comment

© 2024 Read For Learn