What are the characters that are required and suffice when escaping user-generated content before

Question

0

Asked: May 15, 20262026-05-15T11:02:58+00:00 2026-05-15T11:02:58+00:00

What are the characters that are required and suffice when escaping user-generated content before

0

What are the characters that are required and suffice when escaping user-generated content before output? (in other words: what are the characters web developers should escape when outputting text that previously came from an untrusted, anonymous source?)

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-15T11:02:58+00:00

Editorial Team

2026-05-15T11:02:58+00:00Added an answer on May 15, 2026 at 11:02 am

When echoing to a page, you should encode

‘&’ (ampersand) becomes ‘&‘

‘”‘ (double quote) becomes ‘"‘

”’ (single quote) becomes ‘'‘

‘<‘ (less than) becomes ‘<‘

‘>’ (greater than) becomes ‘>‘

From PHP’s htmlspecialchars() docs.

Note that the context also matters.

You’ll also need to take the character set into account.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

What are the characters that are required and suffice when escaping user-generated content before

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply