HTML Entity Encoding Errors: Fixing Display Bugs and XSS Vulnerabilities

HTML entity encoding exists because the HTML specification reserves certain characters for markup syntax. The five characters that must always be escaped in HTML text content are: < (less-than, starts a tag), > (greater-than, ends a tag), & (ampersand, starts an entity), " (double quote, used in attribute values), and ' (apostrophe, used in attribute values). HTML entities provide a way to include these characters as literal text: &lt; for <, &gt; for >, &amp; for &, &quot; for ", and &apos; or &#x27; for '.

Double-encoding is the most common display bug. It happens when HTML entities are encoded more than once. The string 'Tom & Jerry' correctly encodes to 'Tom &amp; Jerry' after one round of encoding. If encoded again, &amp; becomes &amp;amp;, producing 'Tom &amp;amp; Jerry', which the browser displays as 'Tom &amp; Jerry' — with the literal characters &amp; visible on screen instead of &. This usually happens when template engines auto-escape values that were already manually escaped, or when content is stored in escaped form in a database and then escaped again when rendering.

XSS (Cross-Site Scripting) is the security consequence of insufficient HTML encoding. When user-supplied content is inserted into a page's HTML without escaping, an attacker can inject JavaScript that executes in the victim's browser. A stored XSS attack stores the malicious script in the database; every user who views the content triggers the script. A reflected XSS attack includes the script in a URL parameter; clicking the link executes the script in the victim's session. Both are prevented by consistently escaping user content at render time.

Numeric vs named HTML entities introduce compatibility issues. Named entities like &nbsp; (non-breaking space) and &copy; (copyright symbol) are supported in HTML but not in XML. XHTML documents, SVG files, and XML-based email templates only support the five predefined XML entities: &lt;, &gt;, &amp;, &quot;, and &apos;. If you use &nbsp; in an SVG file or XML document, the parser will throw 'undefined entity' errors. Use &#160; (numeric decimal) or &#xA0; (numeric hex) for the non-breaking space in XML contexts.

When entity text like &amp; or &lt; appears literally on the page, right-click and inspect the element in browser devtools. Look at the actual HTML source vs the rendered text. If the DOM shows &amp;amp; (four characters followed by a semicolon), the content has been double-encoded. If the DOM shows &amp; but it is displaying as & in the browser, that is correct behavior — the browser is decoding it. Only if &amp; appears as literal text on screen (showing the six characters &, a, m, p, ;) is there a bug.

For XSS vulnerability diagnosis, test by inserting the string <script>alert('XSS')</script> into every user input field. If an alert box appears when the page is loaded (stored XSS) or when you submit and view the page (reflected XSS), the input is not being escaped. For more targeted testing, try the string " onmouseover="alert(1) in an input that appears in an HTML attribute context — if hovering triggers an alert, attribute encoding is missing. Use OWASP's XSS testing guide for a complete checklist.

For JavaScript code that renders HTML, check every assignment to innerHTML, outerHTML, and insertAdjacentHTML. Each of these can execute JavaScript if the assigned value contains event handlers or script tags. Search the codebase for these properties: grep -r 'innerHTML\|outerHTML\|insertAdjacentHTML' src/. Verify each usage either uses a trusted, sanitized string or is replaced with textContent.

For React applications, check every use of dangerouslySetInnerHTML. React auto-escapes all {expressions} in JSX, but dangerouslySetInnerHTML bypasses this protection. Also check for string concatenation with user data in template literals that are then passed to innerHTML in vanilla JS code embedded in useEffect or event handlers.

For displaying plain text content from users, always use element.textContent in vanilla JavaScript or text interpolation {value} in React JSX. Both automatically escape < to &lt; and & to &amp;, so no manual escaping is needed. This is the safest approach because it treats all content as text, never as markup.

For decoding HTML entities in JavaScript (reading encoded text to display in a non-HTML context like a textarea value or plain text email), use a DOM element as a decoder: const el = document.createElement('textarea'); el.innerHTML = encodedString; const decoded = el.value. This works because assigning to innerHTML parses the entities, and reading .value returns the decoded plain text. A textarea is used instead of a div to avoid executing script tags. In Node.js, the 'he' package provides he.decode() for server-side entity decoding without a DOM.

For server-side template engines, know whether your template auto-escapes by default and never manually escape before passing to an auto-escaping template. In Handlebars, {{variable}} auto-escapes; {{{variable}}} does not. In Jinja2/Nunjucks, {{ variable }} auto-escapes when autoescaping is enabled. In EJS, <%= variable %> auto-escapes; <%- variable %> does not. The pattern is: raw data in, template handles escaping.

For React, dangerouslySetInnerHTML must only receive sanitized HTML. Use DOMPurify (client-side) or the sanitize-html npm package (both client and server) with an explicit allowlist of permitted tags and attributes. Do not write your own sanitizer or use regex to strip tags — both approaches miss attack vectors like malformed HTML, SVG event handlers, and JavaScript in CSS.

For email templates with HTML entities, test across multiple email clients: Gmail, Outlook (2016-2022), Apple Mail, and the AOL/Yahoo webmail clients. Outlook uses Microsoft Word as its HTML rendering engine, which has different entity support than browser HTML parsers. For maximum compatibility, use numeric entities (&#160; for non-breaking space) rather than named entities, and test with Litmus or Email on Acid.

HTML attribute encoding requires different treatment than text content encoding. In an HTML attribute value like <input value="{userInput}">, the characters that must be escaped differ depending on whether the attribute is quoted (double quotes, single quotes) or unquoted. For maximum safety, always quote attributes and escape &, ", <, >, and / in the attribute value. Setting element.setAttribute('value', userInput) in JavaScript handles this automatically — the DOM API escapes attribute values. Constructing HTML strings with template literals for attribute values is dangerous without careful escaping.

SVG inline in HTML has a dual-context problem. SVG attributes can contain JavaScript via event handlers like onclick="evil()" and via href="javascript:...". A sanitizer that is safe for HTML may not be safe for inline SVG, because SVG has additional event attributes that are specific to SVG elements (like onbegin, onrepeat). DOMPurify with {USE_PROFILES: {svg: true}} handles SVG sanitization correctly. If you are embedding user-controlled SVG, this specific option is required.

React's auto-escaping applies to JSX expressions like {value} and to HTML attributes set via JSX props like className={value}. However, it does not protect href attributes when the value is a javascript: URL. React will render <a href={userUrl}> without escaping, and if userUrl is 'javascript:alert(1)', clicking the link executes JavaScript. Validate href values to ensure they start with 'http://', 'https://', or '/' before using them in anchor tags. In React 17+, a warning is logged for javascript: URLs, but they are not blocked.

DOMParser provides a clean API for parsing HTML strings in modern browsers. const doc = new DOMParser().parseFromString(htmlString, 'text/html'); const text = doc.body.textContent strips all HTML tags and returns plain text with entities decoded. This is useful for converting HTML-formatted API responses to plain text for use in alt attributes, page titles, or notification messages. Unlike the textarea trick, DOMParser does not execute scripts.

Sanitizing with regex is one of the most persistent mistakes in web security. Developers write patterns like str.replace(/<script>/gi, '') or str.replace(/<[^>]+>/g, '') thinking they strip all dangerous HTML. These patterns are defeated by incomplete tags (<scr<script>ipt>), alternative capitalization, JavaScript in non-script contexts (<img src=x onerror=...>), and HTML entity obfuscation (&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;). Use DOMPurify, sanitize-html, or a CSP header, not regex.

Mixing encoding contexts within a single string is a common source of both display bugs and security vulnerabilities. For example, constructing a JavaScript string that is then inserted into an HTML attribute that is then evaluated as CSS — each context has different encoding requirements, and a mistake in any layer allows injection. The principle of context-appropriate encoding: escape for the innermost context first, then the outer contexts. String in JavaScript string literal: escape \' and \. JavaScript in HTML attribute: encode the result for HTML attributes. This nesting must be handled correctly at each layer.

Not encoding special characters in JSON that will be embedded in an HTML script tag is a classic vulnerability. If server-side code renders JSON data directly into a script block: <script>var data = {{{json}}}</script>, and the JSON contains </script>, the string terminates the script block prematurely. The safe pattern is to replace < with \u003C, > with \u003E, and & with \u0026 in JSON that will appear inside a script tag. The JSON.parse() call in the script still works, but the </script> sequence in the JSON no longer terminates the HTML script block.

Confusing entity encoding with URL encoding is a common category error. &amp; is an HTML entity for &. %26 is the URL percent-encoding for &. They are different encodings for different contexts. A URL in an HTML href attribute needs the URL percent-encoded first, then the result HTML-encoded: href="/search?q=Tom%20%26amp%3B%20Jerry" is the correctly double-encoded version of /search?q=Tom & Jerry in an HTML attribute. Mixing them — using %26 in an HTML text node or &amp; in a URL query string — produces incorrect output.

Adopt a context-sensitive output encoding strategy. The OWASP Cheat Sheet defines six encoding contexts: HTML text content, HTML attribute values, JavaScript strings, CSS values, URL parameters, and URL paths. Each context has different dangerous characters and different escaping requirements. A security-conscious framework like React handles the first three automatically in JSX. For the others, use library functions: encodeURIComponent() for URL parameters, CSS.escape() for CSS selectors, and JSON.stringify() for JavaScript values.

Implement a Content Security Policy (CSP) header as a defense-in-depth measure. CSP restricts which scripts, styles, and other resources a page can load. A strict CSP like Content-Security-Policy: default-src 'self'; script-src 'self' prevents inline script injection even if XSS encoding is missed somewhere. Start with a report-only mode (Content-Security-Policy-Report-Only) to see what would be blocked before enforcing. Nonce-based CSP (adding a random nonce per request to allowed scripts) is more flexible than hash-based CSP for dynamic applications.

For rich text editors (Quill, TipTap, Slate, CKEditor), always sanitize the HTML output on the server before storing and again before rendering. Client-side sanitization is a convenience, not a security control — attackers can bypass it by sending requests directly to your API without going through the browser. The server must validate and sanitize all HTML before storage. Use a configurable library with an explicit allowlist of permitted tags, attributes, and CSS properties.

Test your encoding with a comprehensive set of XSS payloads. The OWASP XSS Filter Evasion Cheat Sheet provides hundreds of attack vectors that bypass naive sanitization. The key insight is that HTML parsers in browsers are extremely permissive — they accept malformed, partial, and creative HTML that no spec-compliant parser would. Security testing with a handful of <script> tags is insufficient; use an automated scanner like OWASP ZAP or Burp Suite's active scan for thorough XSS testing.