Escaping is the practice of encoding data before it is sent to a browser, template, or other output sink so that characters like <, >, quotes, and ampersands are treated as plain text rather than executable code. In web applications, this is one of the main defenses against cross-site scripting (XSS) and related injection bugs.
It matters because attackers often target places where user input is displayed back to other users: comments, profile fields, admin pages, search results, and plugin-generated content. If output is not escaped correctly, a payload can break out of the intended text and run JavaScript in the victim’s session. Good escaping is context-specific: HTML text, HTML attributes, URLs, and JavaScript all need different encoding rules. In practice, secure developers validate input, then escape output at the last possible moment, while using platform helpers and templates that handle encoding safely by default.