& — ampersand< — less than> — greater than" — double quote' — apostrophe — non-breaking spaceHTML entity encoding is a primary defence against Cross-Site Scripting (XSS). When user-supplied text is rendered into an HTML page, every <, >, &, ", and ' must be escaped as their entity equivalents to prevent the browser from interpreting them as markup. This encoder handles the five essential characters plus optional full Unicode escaping.
An XSS attack injects a script tag — <script>alert('xss')</script> — into page content. If the server renders this string directly into HTML without encoding, the browser executes the script. HTML entity encoding transforms the same string to <script>alert('xss')</script> — browsers display it as text, never executing it. Context matters: entity encoding is correct for HTML text content; attribute context requires additional rules.
& < > " 'It prevents the most common vector but context matters. HTML entity encoding is correct for HTML body content. In JavaScript contexts, you need JavaScript escaping. In URL attributes, URL encoding. In CSS, CSS escaping. Use a context-aware sanitiser library for robust XSS prevention.
& be encoded first?If you encode < to < first and then encode &, you would double-encode to &lt;. Always encode the ampersand before other characters to avoid this.
Always encode apostrophes (') when the text appears inside a single-quoted HTML attribute. In HTML body text, apostrophes are safe without encoding, but encoding them defensively does no harm.
HTML entity encoding is for text inside HTML markup. URL encoding (percent-encoding) is for query parameters and URL path segments. < in HTML becomes <; in a URL it becomes %3C. Both represent the same character, but they are incompatible encoding schemes.
See also the HTML Decoder, HTML Encoder, and the HTML Formatter.