Encode and decode HTML special characters to/from HTML entities. Prevents XSS and displays special chars.
The HTML Entities Encoder / Decoder converts reserved HTML characters such as <, >, &, and quotes into their safe entity equivalents, and decodes them back to raw characters. It runs entirely in the browser and is indispensable for web developers who need to safely render user-generated content, write code examples in documentation, or prevent cross-site scripting (XSS) vulnerabilities. No data leaves your machine at any point.
HTML entities are special escape sequences that represent characters which have reserved meaning in HTML markup or which cannot be safely included in HTML source as literal characters. For example, < renders as a less-than sign without being interpreted as the start of a tag, and & renders as a literal ampersand. They are essential for displaying code samples, user-generated content, and special symbols correctly in a web page without breaking document structure or introducing security vulnerabilities.
Cross-Site Scripting attacks occur when untrusted user input containing HTML or JavaScript is inserted into a web page without escaping, allowing attackers to inject malicious scripts. By encoding characters like <, >, ", ', and & into their entity equivalents, you neutralise any embedded HTML tags or event handlers so the browser renders them as visible text rather than executable markup. This tool lets you quickly sanitise strings before inserting them into the DOM or storing them in a database.
No. The encoder uses a pure JavaScript character replacement map that runs entirely in your browser, and the decoder leverages the browser's own HTML parser by temporarily injecting text into a detached DOM element. Neither operation involves any network request or server-side processing. You can confirm this by inspecting the Network tab in your browser's developer tools - there are zero outbound requests when you click Encode or Decode.
This tool encodes the five core HTML reserved characters: & -> &, < -> <, > -> >, " -> ", and ' -> '. These five cover the vast majority of XSS vectors and HTML-parsing issues. Full entity encoding of every non-ASCII character (such as © or é) is not performed because modern web pages declare UTF-8 encoding, making numeric entity escaping of those characters unnecessary for correctness.
PHP's htmlspecialchars() and this browser tool apply the same set of five character substitutions, making the output identical for typical use cases. Server-side functions are the correct place to apply escaping in production applications because they run before the HTML is delivered to the browser, whereas this tool is ideal for manually escaping snippets, preparing documentation, testing encoding logic, and debugging templates. For production code, always use server-side escaping functions rather than relying on client-side preprocessing.