Fix HTML Entity Encoding Errors & Prevent XSS
Resolve HTML entity encoding issues: broken special characters, XSS vulnerabilities from missing encoding, double-encoding, and entity reference errors.
HTML entity encoding errors cause two categories of problems: display issues (broken characters, garbled text) and security vulnerabilities (XSS attacks from unescaped user input). This guide covers both with practical fixes.
Common errors covered
XSS vulnerability from unescaped user input
Security scan: Reflected XSS in search parameter
User input renders as executable HTML/JavaScript
When user input is inserted into HTML without encoding, an attacker can inject script tags or event handlers that execute arbitrary JavaScript in other users browsers.
Step-by-step fix
- 1 Test your inputs with our HTML Entity Encoder.
- 2 Check every place user input appears in HTML - all must be encoded.
-
3
Use your framework auto-escaping (React, Angular, Jinja2 with
|e). - 4 For content that must contain HTML, use a sanitization library (DOMPurify).
<!-- DANGEROUS: unescaped user input -->
<p>Welcome, {{ user_name }}</p>
<!-- SAFE: HTML-encoded output -->
<p>Welcome, {{ user_name | escape }}</p>
Double-encoded entities showing as &amp; or &lt;
Page shows &amp; instead of & or &lt; instead of <
When you encode already-encoded text, entities get encoded again: & becomes &. This happens when multiple template layers each apply encoding.
Step-by-step fix
- 1 Paste the broken text into our HTML Entity Encoder and click Decode.
- 2 If you still see entities, decode again - it was double-encoded.
- 3 Fix the source: encode only once, at the template rendering layer.
- 4 If using a framework, check that auto-escaping is not applied on top of manual escaping.
<!-- Double-encoded: manual escape + auto-escape -->
{{ escape(user_name) | escape }}
<!-- Let the framework handle escaping once -->
{{ user_name | escape }}
Unknown or invalid HTML entity references
Browser shows entity name as literal text instead of symbol
Invalid entity reference
Only a specific set of named entities is valid in HTML. Misspelled or made-up entity names render as literal text. Numeric entities always work.
Step-by-step fix
- 1 Check the entity name against the HTML specification.
-
2
Use numeric entities for guaranteed compatibility:
©for the copyright symbol. - 3 Use our HTML Entity Encoder to convert characters to valid entities.
- 4 Consider using UTF-8 characters directly instead of entities (modern best practice).
&copyright; &rightarrow; &elipsis;
&copy; &rarr; &hellip;
Prevention Tips
- Enable your template engine auto-escaping and only disable it when you know the content is safe.
- Use Content Security Policy (CSP) headers as a defense-in-depth measure against XSS.
- Test with our HTML Entity Encoder to understand how encoding transforms work.
- Prefer UTF-8 characters over HTML entities in modern applications.
Frequently Asked Questions
Should I encode all user input?
Yes, encode all user-provided data when inserting into HTML. This includes: element content, attribute values, URLs, CSS values, and JavaScript strings. Each context has different encoding rules.
What is the difference between HTML encoding and URL encoding?
HTML encoding converts special characters to entity references for safe display in HTML. URL encoding converts characters to percent-encoded format for safe use in URLs. They serve different purposes and are NOT interchangeable.
Is React automatically safe from XSS?
React escapes values in JSX by default, which prevents most XSS. However, dangerouslySetInnerHTML, href with javascript: URLs, and server-side rendering with unsanitized data can still be vulnerable.
Related Error Guides
Related Tools
Still stuck? Try our free tools
All tools run in your browser, no signup required.