it seems that to prevent XSS attacks (Cross site scripting), using <a href="#" onclick="change('<?= htmlspecialchars($title) ?>'); return false;">Click me</a> is trickier. The reason is that if $title has something malicious, and htmlspecialchars() changes that to < But then, since the value part of onclick is parsed first as HTML, so it can very well become: change('<script> do something bad </script>'); return false; (that is, the "<" was changed to < by htmlspecialchars() but changed back to "<" by the browser. Now, if change() actually does something like document.getElementById('divForTitle').innerHTML = title; then the XSS attack can occur.