HTML Entities Explained: When to Encode, When to Skip, and What Goes Wrong

1 / 2

HTML Entities Explained: When to Encode, When to Skip, and What Goes Wrong

DEV Community·Snappy Tools·about 1 month ago

#2fZlrzgj

#when #webdev #html #entities #encoding #encode

Reading 0:00

15s threshold

HTML entities trip up developers in two situations: encoding content for display, and sanitizing content to prevent injection. These are related but not the same thing — and mixing them up is how XSS vulnerabilities happen. This post covers what HTML entities actually are, when you must encode, when you don't need to, and what your framework is (hopefully) doing for you. What is an HTML entity? An HTML entity is a text representation of a character that has special meaning in HTML, or a character that can't easily be typed. The format is either: Named entity : &amp; , &lt; , &gt; , &quot; , &apos; Numeric decimal : &#38; , &#60; , &#62; Numeric hex : &#x26; , &#x3C; , &#x3E; They all end with a semicolon. The browser decodes them back to the character when rendering. The five characters you always need to encode These five characters have special meaning in HTML.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

HTML Entities Explained: When to Encode, When to Skip, and What Goes Wrong