HTML Entities

Encode and decode HTML special characters and entities

When do you need HTML entity encoding?

When user-supplied text is rendered into HTML, characters like `<` and `>` must be escaped as `<` and `>` to avoid being interpreted as tags. Skipping this is the root cause of XSS vulnerabilities. The tool encodes the five core HTML-unsafe characters plus any Unicode you choose to escape.

Numeric entities (`&`, `&`) work in any HTML context. Named entities (`&`, `©`) are easier to read but only work in HTML — XML parsers don't know all the HTML names.

Examples

InputResult
<script>alert('hi')</script>&lt;script&gt;alert(&#39;hi&#39;)&lt;/script&gt;
© 2024 — Wenee&copy; 2024 &mdash; Wenee

Frequently asked questions

Which characters need encoding?

At minimum: `<`, `>`, `&`, `"`, and `'`. Encoding more (like all non-ASCII) is harmless but bloats the output.

Are named or numeric entities better?

Named (`&amp;`) is more readable in HTML; numeric (`&#38;`) works in both HTML and XML. Pick numeric for cross-format safety.

Is HTML entity encoding the same as URL encoding?

No — HTML entities use `&...;` syntax for HTML contexts. URL encoding uses `%XX` for URL contexts. They serve different layers.

Does this prevent XSS?

Encoding text content in HTML output prevents the most common XSS vector. Other contexts (attribute values, JavaScript strings, CSS) need their own escaping rules.

Is my text sent anywhere?

No. Encoding and decoding happen entirely in your browser.