Minimum requirements for escaping HTML output

What are the characters that are required and suffice when escaping user-generated content before o开发者_运维百科utput? (in other words: what are the characters web developers should escape when outputting text that previously came from an untrusted, anonymous source?)

When echoing to a page, you should encode

• '&' (ampersand) becomes '&'
• '"' (double quote) becomes '"'
• ''' (single quote) becomes '''
• '<' (less than) becomes '<'
• '>' (greater than) becomes '>'

From PHP's htmlspecialchars() docs.

Note that the context also matters.

You'll also need to take the character set into account.

I think that escaping the < > & " ' symbols should be enough for any scenario.