HTML has a reserved set of characters: <, >, &, ", and '. HTML entities are how you represent these special characters safely.
Named Entities Reference
& → &
< → <
> → >
" → "
' → '
Preventing XSS Attacks
XSS happens when user input is displayed without proper encoding:
// VULNERABLE:
<div>{{ user_comment }}</div>
// SAFE: HTML entities encode the script tag
<script>alert("XSS!")</script>
Security Best Practices
- Always encode user input — Never display untrusted content without encoding
- Use textContent instead of innerHTML — Always safe for user content
- Encode at display time, not storage time — Store raw, encode when displaying
- Use context-aware encoding — HTML, attributes, JS, URL, and CSS each need different encoding
Try our HTML Encoder and HTML Decoder for instant encoding and decoding.
Free Developer Tools
If you found this article helpful, check out DevToolkit — 40+ free browser-based developer tools with no signup required.
Popular tools: JSON Formatter · Regex Tester · JWT Decoder · Base64 Encoder
🛒 Get the DevToolkit Starter Kit on Gumroad — source code, deployment guide, and customization templates.
Top comments (0)