I am about to send an html email in code that may contain unsafe

Question

0

Asked: June 6, 20262026-06-06T05:19:37+00:00 2026-06-06T05:19:37+00:00

I am about to send an html email in code that may contain unsafe

0

I am about to send an html email in code that may contain unsafe user input. I have noticed that if I html escape the subject, GMail will then display the escaped content (so if my subject is "This & That", which I sanitize as "This & That", Gmail shows the latter). The same goes for Thunderbird. Is it safe to assume that all email clients do not need the subject html escaped?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-06T05:19:40+00:00

No need to encode HTML entities in a subject line. The reason for encoding in the HTML body is if you’re using XHTML which, because it derives from XML, treats & as a reserved character.

However, the subject line of an email is not in HTML, XML, or XHTML. It’s just pure text. Because of this, you don’t need to encode an ampersand as &. If you do encode it, because it’s not being parsed as HTML, it will be displayed as encoded.

If you want to include non-ASCII characters (e.g. £), then you need to encode the whole ‘envelope’ (including the email body) as UTF-8.

So, in code, the following will be shown as:

        | Subject Line |    Body
====================================
&amp;   |    &amp;     |     &       
&       |      &       |     & 
UTF-8 £ |      £       |     £
ASCII £ |     n/a      |    n/a
&pound; |   &pound;    |     £

NB: Microsoft Office has a weird implementation of UTF-8, so not all UTF-8 characters will work.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am about to send an html email in code that may contain unsafe

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply