HTML Encode for XSS Prevention — Escape User Input
Quick Answer: HTML encoding converts dangerous characters to their entity equivalents: < becomes <, > becomes >, & becomes &, " becomes ". This prevents user input from being interpreted as HTML/JavaScript, the primary defense against Cross-Site Scripting (XSS).
FAQ
What characters must be HTML encoded to prevent XSS?
At minimum: < (<), > (>), & (&), " ("), and ' ('). These prevent injection of HTML tags and attribute breakout. Modern frameworks do this automatically.
Does React protect against XSS automatically?
Yes. React auto-escapes all values in JSX. The exception is dangerouslySetInnerHTML, which bypasses escaping. Never use it with user input.