Converting special characters like < and > into harmless display text before showing user-supplied content, so the browser prints them literally instead of running them as code. Most modern frameworks do this for you unless you explicitly opt out.