Which characters need to be escaped in HTML

Question

Are they the same as XML  perhaps plus the space one   amp nbsp     I ve found some huge lists of HTML escape characters but I don t think they must be escaped  I want to know what needs to be escaped

User · Answer

It depends upon the context  Some possible contexts in HTML    document body inside common attributes inside script tags inside style tags several more    See OWASP s Cross Site Scripting Prevention Cheat Sheet  especially the  Why Can t I Just HTML Entity Encode Untrusted Data   and  XSS Prevention Rules  sections  However  it s best to read the whole document

User · Answer

If you re inserting text content in your document in a location where text content is expected1  you typically only need to escape the same characters as you would in XML  Inside of an element  this just includes the entity escape ampersand  amp  and the element delimiter less-than and greater-than signs  lt    gt    amp  becomes  amp amp   lt  becomes  amp lt   gt  becomes  amp gt   Inside of attribute values you must also escape the quote character you re using   quot  becomes  amp quot    becomes  amp  39   In some cases it may be safe to skip escaping some of these characters  but I encourage you to escape all five in all cases to reduce the chance of making a mistake  If your document encoding does not support all of the characters that you re using  such as if you re trying to use emoji in an ASCII-encoded document  you also need to escape those  Most documents these days are encoded using the fully Unicode-supporting UTF-8 encoding where this won t be necessary  In general  you should not escape spaces as  amp nbsp    amp nbsp  is not a normal space  it s a non-breaking space  You can use these instead of normal spaces to prevent a line break from being inserted between two words  or to  insert                    extra                space              without     it     being     automatically       collapsed  but this is usually a rare case  Don t do this unless you have a design constraint that requires it   1 By  quot a location where text content is expected quot   I mean inside of an element or quoted attribute value where normal parsing rules apply  For example   lt p gt HERE lt  p gt  or  lt p title  quot HERE quot  gt     lt  p gt   What I wrote above does not apply to content that has special parsing rules or meaning  such as inside of a script or style tag  or as an element or attribute name  For example   lt NOT-HERE gt     lt  NOT-HERE gt    lt script gt NOT-HERE lt  script gt    lt style gt NOT-HERE lt  style gt   or  lt p NOT-HERE  quot     quot  gt     lt  p gt   In these contexts  the rules are more complicated and it s much easier to introduce a security vulnerability  I strongly discourage you from ever inserting dynamic content in any of these locations  I have seen teams of competent security-aware developers introduce vulnerabilities by assuming that they had encoded these values correctly  but missing an edge case  There s usually a safer alternative  such as putting the dynamic value in an attribute and then handling it with JavaScript  If you must  please read the Open Web Application Security Project s XSS Prevention Rules to help understand some of the concerns you will need to keep in mind

User · Answer

The exact answer depends on the context  In general  these characters must not be present  HTML 5 2   3 2 4 2 5    Text nodes and attribute values must consist of Unicode characters  must not contain U 0000 characters  must not contain permanently undefined  Unicode characters  noncharacters   and must not contain control characters other than space characters  This specification includes extra constraints on the exact value of Text nodes and attribute values depending on their precise context  For elements in HTML  the constraints of the Text content model also depends on the kind of element  For instance  an  quot  lt  quot  inside a textarea element does not need to be escaped in HTML because textarea is an escapable raw text element   These restrictions are scattered across the specification  E g   attribute values    8 1 2 3  must not contain an ambiguous ampersand and be either  i  empty   ii  within single quotes  and thus must not contain U 0027 APOSTROPHE character      iii  within double quotes  must not contain  U 0022 QUOTATION MARK character  quot    or  iv  unquoted     with the following restrictions       must not contain any literal space characters  any U 0022 QUOTATION MARK characters   quot    U 0027 APOSTROPHE characters      U 003D EQUALS SIGN characters      U 003C LESS-THAN SIGN characters   lt    U 003E GREATER-THAN SIGN characters   gt    or U 0060 GRAVE ACCENT characters      and must not be the empty string

User · Answer

Basically  there are three main characters which should be always escaped in your HTML and XML files  so they don t interact with the rest of the markups  so as you probably expect  two of them gonna be the syntax wrappers  which are  lt  gt   they are listed as below   1    amp lt    lt         2    amp gt    gt         3    amp amp    amp    Also we may use double-quote   quot   as  quot  and the single quote     as  amp apos Avoid putting dynamic content in  lt script gt  and  lt style gt  These rules are not for applied for them  For example  if you have to include JSON in a   replace  lt  with  x3c  the U 2028 character with  u2028  and U 2029 with  u2029 after JSON serialisation   HTML Escape Characters  Complete List  http   www theukwebdesigncompany com articles entity-escape-characters php So you need to escape  lt   or  amp  when followed by anything that could begin a character reference  Also The rule on ampersands is the only such rule for quoted attributes  as the matching quotation mark is the only thing that will terminate one  But if you don   t want to terminate the attribute value there  escape the quotation mark   Changing to UTF-8 means re-saving your file   Using the character encoding UTF-8 for your page means that you can avoid the need for most escapes and just work with characters  Note  however  that to change the encoding of your document  it is not enough to just change the encoding declaration at the top of the page or on the server  You need to re-save your document in that encoding  For help understanding how to do that with your application read Setting encoding in web authoring applications  Invisible or ambiguous characters  A particularly useful role for escapes is to represent characters that are invisible or ambiguous in presentation  One example would be Unicode character U 200F RIGHT-TO-LEFT MARK  This character can be used to clarify directionality in bidirectional text  eg  when using the Arabic or Hebrew scripts   It has no graphic form  however  so it is difficult to see where these characters are in the text  and if they are lost or forgotten they could create unexpected results during later editing  Using    or its numeric character reference equivalent    instead makes it very easy to spot these characters  An example of an ambiguous character is U 00A0 NO-BREAK SPACE  This type of space prevents line breaking  but it looks just like any other space when used as a character  Using    makes it quite clear where such spaces appear in the text

[html] Which characters need to be escaped in HTML?

Examples related to html

Examples related to html-entities

Examples related to html-encode

Examples related to html-escape-characters