Blog /

The Most Dangerous Characters in HTML

The Most Dangerous Characters in HTML (and How to Escape Them)

Published: November 20, 2025

Only seven characters can destroy your HTML document or open security holes. Master these — and you prevent 99% of rendering and injection bugs.

The Dirty Seven

  1. <&lt; — Ends tags prematurely
  2. >&gt; — Can close tags early
  3. &&amp; — Breaks existing entities
  4. "&quot; — Breaks attributes
  5. '&#39; or &apos; — Dangerous in JavaScript
  6. `&#96; — Template literal killer
  7.   (U+00A0) → &nbsp; or   — Invisible layout breaker

Real Examples That Broke Production

A user named “Tom & Jerry” in a leaderboard → table collapses.
A testimonial with curly quotes “smart” → JavaScript syntax error.
A French résumé with naïve → garbled text on older browsers.

How This Tool Handles Them

Our encoder intelligently chooses named entities when available and universally supported (e.g., &quot;), falling back to numeric for maximum compatibility. It also detects and normalizes non-breaking spaces, zero-width characters, and right-to-left overrides that cause invisible damage.

FAQ

Why not just use textContent everywhere?

textContent strips all HTML. When you need to preserve formatting while staying safe, encoding is the only solution.

Are numeric entities always safer?

Yes. They work in every context: HTML, XML, JSON, and even inside CDATA sections.

Know your enemies. Encode early. Sleep peacefully.