FastDevTool

HTML Entity Encode / Decode

Encode special characters to HTML entities or decode them back.

Encodes: & < > " ' → &amp; &lt; &gt; &quot; &#39;
and you display it unencoded, the browser will execute it as code. Encoding converts the angle brackets to < and > so the browser renders them as text instead."}},{"@type":"Question","name":"Which characters are encoded by this tool?","acceptedAnswer":{"@type":"Answer","text":"This tool encodes the five characters that have special meaning in HTML: & (ampersand) becomes &, < (less-than) becomes <, > (greater-than) becomes >, \" (double quote) becomes ", and ' (single quote) becomes '. These cover the most important cases for XSS prevention."}},{"@type":"Question","name":"What is the difference between HTML encoding and URL encoding?","acceptedAnswer":{"@type":"Answer","text":"HTML encoding converts characters into HTML entity references (like & or <) so they are safe to place inside HTML documents. URL encoding converts characters into percent-encoded sequences (like %26 or %3C) so they are safe to include in URLs. You need HTML encoding when writing content into HTML, and URL encoding when constructing URLs."}},{"@type":"Question","name":"Do I need to encode all characters in my HTML?","acceptedAnswer":{"@type":"Answer","text":"No — only the five special characters listed above need to be encoded in most situations. Normal letters, digits, and many punctuation marks are perfectly safe in HTML without encoding. Over-encoding (encoding characters that don't need it) technically works but creates unnecessarily verbose output."}}]}

Frequently Asked Questions

What are HTML entities?

+

HTML entities are special sequences of text that represent characters that would otherwise be interpreted as HTML markup. They start with an ampersand (&) and end with a semicolon (;). For example, &lt; represents a less-than sign (<) and &amp; represents an ampersand (&), allowing you to display these characters safely in HTML without the browser treating them as code.

Why do I need to HTML-encode user input?

+

Encoding user-supplied content before inserting it into HTML is a critical security measure that prevents Cross-Site Scripting (XSS) attacks. If a user inputs text like <script>alert('xss')</script> and you display it unencoded, the browser will execute it as code. Encoding converts the angle brackets to &lt; and &gt; so the browser renders them as text instead.

Which characters are encoded by this tool?

+

This tool encodes the five characters that have special meaning in HTML: & (ampersand) becomes &amp;, < (less-than) becomes &lt;, > (greater-than) becomes &gt;, " (double quote) becomes &quot;, and ' (single quote) becomes &#39;. These cover the most important cases for XSS prevention.

What is the difference between HTML encoding and URL encoding?

+

HTML encoding converts characters into HTML entity references (like &amp; or &lt;) so they are safe to place inside HTML documents. URL encoding converts characters into percent-encoded sequences (like %26 or %3C) so they are safe to include in URLs. You need HTML encoding when writing content into HTML, and URL encoding when constructing URLs.

Do I need to encode all characters in my HTML?

+

No — only the five special characters listed above need to be encoded in most situations. Normal letters, digits, and many punctuation marks are perfectly safe in HTML without encoding. Over-encoding (encoding characters that don't need it) technically works but creates unnecessarily verbose output.