Why escape HTML
Characters like <, >, &, and quotes have structural meaning in HTML. Displaying user-supplied text without escaping them is the classic path to broken layouts and cross-site scripting (XSS) attacks. Escaping converts them into harmless entity references the browser renders as visible characters.
The five essential entities
& for & · < for < · > for > · " for double quote · ' for single quote. Escaping these five covers safe insertion into element content and attribute values.
Note for frameworks
Modern frameworks (React, Vue, most template engines) escape output automatically. Manual escaping matters when building HTML strings by hand, writing to innerHTML, generating emails, or storing display-ready content.