HTML Encoder / Decoder
Encode and decode HTML entities safely.
Common HTML Entities
What Is HTML Encoding?
HTML encoding converts special characters into their HTML entity equivalents. Characters like <, >, &, and quotes have special meaning in HTML — they define tags, attributes, and entities. Encoding these characters ensures they display as literal text rather than being interpreted as HTML markup.
Preventing XSS Attacks
Cross-Site Scripting (XSS) is one of the most common web security vulnerabilities. It occurs when user input is rendered as HTML without encoding. An attacker could inject malicious JavaScript through form inputs, URL parameters, or database-stored content. Proper HTML encoding neutralizes these attacks by converting script tags into harmless text.
Named vs Numeric Entities
HTML entities come in two forms. Named entities use memorable names: < for less-than, & for ampersand. Numeric entities use character codes: < for less-than, & for ampersand. Named entities are more readable but only cover a subset of characters. Numeric entities can represent any Unicode character.
When to Encode
Encode HTML whenever displaying user-generated content, rendering data from external APIs, inserting text into HTML attributes, or generating HTML dynamically. Most modern frameworks (React, Vue, Angular) auto-encode by default, but raw HTML insertion (dangerouslySetInnerHTML, v-html) bypasses this protection.
Encoding in Different Languages
Every major programming language provides HTML encoding functions. Python has html.escape(), PHP has htmlspecialchars(), JavaScript doesn't have a built-in function but frameworks handle it. Always use your language's built-in encoding rather than writing custom regex replacements, which are error-prone and often miss edge cases.