Protect your website from XSS vulnerabilities. Safely escape special characters, display raw code blocks, and decode entity strings instantly in your browser.
Prevent browsers from accidentally executing your text content as malicious HTML commands.
Convert dangerous angle brackets into safe `<` and `>` references. This guarantees that user-submitted text cannot hijack your application's DOM.
Did you scrape a massive block of unreadable text covered in `"` tags from a JSON API? The engine can instantly decode the entities back into clean, readable plaintext.
The replacement algorithm utilizes secure DOM API parsing directly in your browser. Paste sensitive text without fear of server-side data interception.
An HTML Entity is a specialized string of text used to display reserved characters, invisible characters, or typographic symbols that cannot be typed directly on a standard keyboard. Entities typically begin with an ampersand (&) and end with a semicolon (;).
When a web browser downloads an HTML file, it must parse the text to figure out what is "content" (words to show the user) and what is "code" (instructions on how to draw the page).
The browser assumes that anytime it sees a "Less Than" symbol (<), you are starting a line of code. Therefore, the angle brackets and the ampersand are considered Reserved Characters.
If you are writing an article for a math blog and you type "5 < 10", the browser gets confused. It thinks you are trying to open an HTML tag called < 10>. The math equation breaks, and your layout corrupts. To solve this, you must use an online HTML encoder to escape the equation into "5 < 10". The browser will see the entity, realize you want to display the visual symbol, and print the math perfectly.
Escaping HTML entities is the primary defense against the most common cyber attack on the internet.
Imagine you run a forum where users can post comments. A malicious hacker submits a comment containing the exact string: <script>stealCookies();</script>
If your database saves that raw string, and then renders it on the screen for the next visitor, the visitor's browser will execute the code and their session cookies will be stolen. However, if your backend server runs the comment through an HTML Entity Encoder first, the database saves <script>. When the next user visits the page, the browser simply displays the text safely on the screen, completely neutralizing the attack.
Beyond security, designers use entities to render professional typographic symbols that do not exist on a standard QWERTY keyboard:
© in your footer to instantly generate the legal copyright symbol. to force a blank space without allowing the browser to wrap the text to the next line.— to insert a professional, elongated hyphen used in high-end publishing.AT&T to ensure strict HTML validity.