Encode and decode HTML entities to prevent cross-site scripting (XSS) attacks and display special characters correctly. All processing happens in your browser.
Input
Enter text containing HTML special characters or entities
Output
Statistics
| Input Length: | 0 |
| Output Length: | 0 |
| Characters Encoded: | 0 |
| Entities Found: | 0 |
Common HTML Entities
| Character | Named Entity | Numeric Entity | Usage |
|---|---|---|---|
< | < | < | Less than sign (HTML tags) |
> | > | > | Greater than sign (HTML tags) |
& | & | & | Ampersand |
" | " | " | Double quote (HTML attributes) |
' | ' | ' | Single quote/apostrophe |
| (space) | |   | Non-breaking space |
© | © | © | Copyright symbol |
® | ® | ® | Registered trademark |
XSS Prevention
When to Encode
- Before inserting user input into HTML
- When displaying data from databases
- Before using in HTML attributes
- When echoing form data
Essential Characters
<prevents script tag injection>closes malicious tags&prevents entity injection"'prevent attribute breakout