as their name and you display it unescaped, the browser executes the script. After HTML encoding, the same input displays as <script>alert('hacked')</script> — the browser shows it as literal text without executing anything. This encoding must happen at the point of rendering, not at the point of storage. Store the raw input; encode when displaying. Context matters: HTML encoding is correct for HTML body; URL encoding is needed for href attributes; JavaScript encoding for inline JS."}},{"@type":"Question","name":"What is the difference between named and numeric HTML entities?","acceptedAnswer":{"@type":"Answer","text":"Named entities use a descriptive name: & < © € —. Numeric entities use the Unicode code point in decimal (— for em dash) or hexadecimal (— for em dash). Named entities are only available for characters that have been given names in the HTML specification — common symbols are named, but most Unicode characters are not. Numeric entities work for any Unicode character. For the required < > & \" characters, use the named entities (< > & ") for readability. For obscure symbols, use numeric entities."}},{"@type":"Question","name":"When should I use   (non-breaking space)?","acceptedAnswer":{"@type":"Answer","text":"  (non-breaking space, character U+00A0) prevents a line break between two words: \"50 kg\" ensures 50 and kg always appear on the same line. Use it for: unit values (50 kg, 25 mph), titles with initials (J. K. Rowling), phone numbers with country code (+1 555), and any pair of words that should never be separated at a line break. Do not use   for visual spacing — use CSS margin, padding, or a proper layout system. Consecutive   entities for indentation is an anti-pattern that breaks accessibility and is unmaintainable."}},{"@type":"Question","name":"Should I encode HTML entities in JavaScript strings?","acceptedAnswer":{"@type":"Answer","text":"HTML entities are parsed by the HTML parser — they have no meaning in JavaScript context. If you are building an HTML string in JavaScript (template literals, innerHTML), encode the HTML characters. If you are setting textContent instead of innerHTML, the browser automatically treats the value as plain text and no encoding is needed: element.textContent = userInput is always XSS-safe. element.innerHTML = userInput is dangerous unless userInput is HTML-encoded. For React and most modern frameworks, JSX automatically escapes values in JSX expressions — {userInput} is safe, dangerouslySetInnerHTML is not."}},{"@type":"Question","name":"What is the HTML character encoding declaration and is it still needed?","acceptedAnswer":{"@type":"Answer","text":"The tag in the HTML tells the browser which character encoding to use. Without it, the browser may guess wrong — older browsers defaulted to Latin-1 (ISO-8859-1), which causes mojibake (garbled text) for non-ASCII characters. Always include as the first element in (before any content, especially before any content that might reference external resources). In UTF-8 HTML5, you can safely use actual Unicode characters directly (é, ü, 中文, 🚀) without encoding them as entities."}},{"@type":"Question","name":"What other encoding tools are on this site?","acceptedAnswer":{"@type":"Answer","text":"The URL Encoder handles percent-encoding for URL-safe transmission. The Base64 Encoder encodes binary data for HTTP and data URIs. The Character Encoder looks up Unicode code points and entity references for any character. The HTML Entity Reference tool is a searchable complete list of all named HTML entities. The HTML Validator checks that your HTML is structurally correct after encoding. All are in the Dev Tools section."}}]}