One point worth special note is that values of numeric character references (such as € or € for the euro sign €) are interpreted as Unicode characters – no matter what encoding you use for your document.
For example, the code point number of the euro sign in Windows code page 1252 is 80. It is a common error for people working on content in that encoding to represent the euro sign using €. This HTML should actually produce a control character, since the escape would be expanded as the character at position 80 in the Unicode repertoire. (In fact, browsers tend to silently correct that particular error. See the test pages.)
Proper character escaping is crucial for preventing Cross-Site Scripting (XSS) attacks, especially when displaying user-generated content. Always escape user input before inserting it into HTML:
+Dangerous: <p>Hello <script>alert('XSS')</script></p>
Safe: <p>Hello <script>alert('XSS')</script></p>
This applies to all contexts where user data is inserted into HTML, including element content, attribute values, and URLs.
+