Overview
Encode or decode HTML entities (e.g. < > & "). Helpful for safely displaying user input in HTML, debugging templates, and sanitizing snippets for docs. Runs locally in your browser.
Use cases
- Escape a snippet before pasting it into an HTML page or CMS editor.
- Decode entities from RSS/HTML sources to read the real text.
- Prepare safe examples for documentation without executing markup.
Common pitfalls
- Double-encoding is common (e.g. &amp;). Decode repeatedly until it stabilizes.
- Correct escaping depends on context; HTML entity encoding is not a universal XSS solution.
FAQs
Why encode entities?
To safely render text that may contain <, >, &, quotes, etc. Encoding reduces the risk of HTML injection when displaying user input.
Does this execute HTML?
No. It only transforms strings.
Is entity-encoding enough to prevent XSS?
It helps for HTML text contexts, but XSS prevention depends on context. Always escape correctly for attributes/URLs/JS contexts too.
Why do I still see & in my output?
Your input might be double-encoded. Decode once to remove the extra layer.
Examples
Input
<div>Hello & "world"</div>
Output
<div>Hello & "world"</div>