HTML Entity Encoder/Decoder converts special characters to their HTML entity equivalents and back. Prevents XSS vulnerabilities by escaping user input before inserting it into HTML. Also detects potential security risks in your input.
Copy the encoded version for safe insertion into HTML.
Use the decoded version to read entity-heavy content.
Frequently asked questions
Why encode HTML entities?
To prevent browsers from interpreting special characters as HTML. Without encoding, < becomes a tag, & starts an entity, and " breaks attributes. This is critical for preventing XSS attacks.
What characters need encoding?
At minimum: < (<), > (>), & (&), " ("), and ' ('). These are the characters that have special meaning in HTML and can break your page or enable XSS if unescaped.
What is XSS?
Cross-Site Scripting — when an attacker injects JavaScript through user input that gets rendered as HTML. If you display user data without encoding entities first, they can inject <script> tags that run malicious code.
Should I encode all HTML or just user input?
Always encode user-supplied data before outputting it in HTML. Your own static HTML doesn't need encoding. Server-side templating engines usually handle this automatically with escape filters.