Does HTML encoding prevent XSS security exploits?

Question

By simply converting the following (\"the big 5\"):

& -> &
< -> <
> -> >
\" -> "
\' -> '
         


        

Answer 1

Counter measures depend on the context where the data is inserted in. If you insert the data into HTML, replacing the HTML meta character with escape sequences (i.e. character references) prevents inserting HTML code.

But if your in another context (e.g. HTML attribute value that is interpreted as URL) you have additional meta characters with different escape sequences you have to deal with.