Entities in CMS and Templates

CMS platforms and template engines often escape content automatically—but not always at the layer you expect.

Text nodes vs attributes

For HTML text nodes, the critical escapes are usually <, >, and &.

For attribute values, you also need quotes escaped when the attribute is delimited by " or '. A value like He said "hi" inside title="..." breaks the attribute unless quotes are encoded.

Double-encoding traps

A common bug chain:

1. CMS stores Tom & Jerry (already escaped)
2. A template engine escapes again → Tom & Jerry
3. The page shows literal & text instead of &

Fix: escape once, at the boundary where untrusted text enters HTML. If data is already entity-encoded, decode or mark it as safe before the next escape pass.

Rich text vs plain fields

Rich-text editors may output HTML fragments with entities already embedded. Plain-text fields may need full escaping on output. Mixing the two in one pipeline causes inconsistent display.

Email and export formats

CSV exports, JSON APIs, and email templates often entity-encode for XML/HTML compatibility. When you import that data into a web page, verify whether the consumer expects raw text or pre-escaped HTML.

Framework auto-escaping

React, Vue, and modern template systems escape by default when you use their text interpolation APIs. Manual dangerouslySetInnerHTML or raw template blocks bypass that protection—entities and sanitization become your responsibility.