There’s more to HTML escaping than &, <, >, and “

Escaping &, <, >, “, ‘, , !, @, $, %, (, ), =, +, {, }, [, and ] is almost enough

All those characters up there (including the space character!) can be used to break out of an unquoted HTML attribute value. If you escape every last one of them, then you’re probably pretty close to being safe. But you’re still not so safe that you can just start throwing around user input willy nilly.

Why? Because this still doesn’t cover some context-specific cases like inserting user input into the body of an inline <script> element or using user input as part of a URL.

more on

I have yet to see an application or library that escapes all these characters. Nevertheless, the article is an interesting read.