HTML Entity Encoder
Encode special characters to HTML entities instantly online. Converts &, <, >, ", and ' to their safe HTML equivalents. Free HTML encoder — runs entirely in your browser.
Related Tools
Base64 Encode
Encode any text to Base64 instantly. Full UTF-8 support, runs entirely in your browser.
Base64 Decode
Decode Base64 strings back to plain text instantly. Full UTF-8 support, runs entirely in your browser.
URL Encode
URL-encode any text instantly with percent-encoding. Supports Unicode and all special characters.
HTML entity encoding replaces characters that have special meaning in HTML markup with their named entity equivalents: & becomes &, < becomes <, > becomes >, " becomes ", and ' becomes '. This transformation is required whenever user-provided or dynamic content is inserted into an HTML document to prevent the browser from interpreting those characters as HTML syntax.
Failing to HTML-encode output is the root cause of Cross-Site Scripting (XSS) vulnerabilities, one of the OWASP Top 10. If a web application renders a username like <script>alert(1)</script> without encoding it, the browser executes the script. Template engines like Jinja2, Handlebars, and React's JSX all auto-escape HTML by default, but direct DOM manipulation and older templating systems do not.
This tool applies the five essential HTML entity substitutions (&, <, >, ", ') using pure JavaScript string replacement. It encodes the minimal set required to prevent XSS in HTML contexts — the same set applied by most server-side template engines and sanitization libraries. No HTML is parsed; the input is treated as plain text.
Common Use Cases
Sanitizing user content for email templates
Email HTML templates that include user-submitted content (names, addresses, comment text) must encode special characters before inserting them into the HTML body. An unencoded & in an address like 'Smith & Sons' breaks HTML attribute values; an unencoded < in a comment causes the email client to misparse the template structure.
Escaping code snippets for blog post HTML
Technical blog posts that display code examples in <pre> and <code> blocks must encode the code as HTML entities. A TypeScript generics example like Array<string> will disappear in the browser if the <string> part is not encoded, because the browser treats it as an unknown HTML tag and hides it.
Preparing data for innerHTML assignment
JavaScript code that builds HTML strings for innerHTML assignment must encode any dynamic values. When constructing a search results list where item titles come from user input or an external API, encoding each title through these substitutions before concatenation prevents the title text from injecting markup or scripts into the DOM.
Generating safe XML and HTML attribute values
XML documents and HTML attributes that include dynamic string values must encode quotation marks and ampersands. When generating sitemap XML, RSS feed items, or HTML data attributes programmatically, encoding values here confirms the exact escaped form that the XML serializer or template engine should produce.
About HTML Entity Encoding
- & →
&— prevents ambiguity in HTML parsing - < →
<— prevents tag injection - > →
>— closes open tags safely - " →
"— safe inside attribute values - ' →
'— safe inside single-quoted attributes
When to use it
- Displaying user-generated content in HTML to prevent XSS attacks
- Embedding raw text inside HTML attributes or body content
- Generating HTML email templates with dynamic content