HTML Entity Encoder/Decoder — Developer Code Samples

HTML entity encoding converts characters like <, >, &, and " into safe HTML representations (<, >, &, "). This is essential for preventing XSS attacks when rendering user-supplied content in HTML documents.

Try the interactive version online: Open HTML Entity Encoder Tool →

Parameters

Parameter	Type	Required	Description
text	str	Yes	Input string to encode or decode HTML entities
mode	str	No	Operation mode: encode or decode (default: encode)
quote	bool	No	Also encode double quotes as " (default: True)

Returns: String with HTML entities encoded (safe for HTML output) or decoded (original characters)

Code Examples

import html

# Encode HTML entities (escape for safe HTML output)
user_input = '<script>alert("XSS")</script> & "quoted" text'
encoded = html.escape(user_input)
print(encoded)
# Output: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt; &amp; &quot;quoted&quot; text

# Encode but keep single quotes unescaped (default behavior)
encoded_default = html.escape(user_input, quote=True)
print(encoded_default)

# Decode HTML entities back to characters
encoded_text = "&lt;b&gt;Hello &amp; World&lt;/b&gt;"
decoded = html.unescape(encoded_text)
print(decoded)
# Output: <b>Hello & World</b>

# Named HTML entities
entities = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#39;',
    '©': '&copy;',
    '®': '&reg;',
    '™': '&trade;',
    '€': '&euro;',
    '£': '&pound;',
}

# Encode all non-ASCII characters as numeric entities
def encode_all(text):
    return ''.join(
        f'&#{ord(c)};' if ord(c) > 127 else html.escape(c)
        for c in text
    )

print(encode_all("Hello © World 2024"))
# Output: Hello &copy; World 2024

// Encode HTML entities (browser)
function htmlEncode(text) {
  const div = document.createElement('div');
  div.appendChild(document.createTextNode(text));
  return div.innerHTML;
}

// Alternative: manual encoding (works in Node.js too)
function htmlEscape(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

// Decode HTML entities (browser)
function htmlDecode(text) {
  const div = document.createElement('div');
  div.innerHTML = text;
  return div.textContent || div.innerText || '';
}

// Node.js version (no DOM)
function htmlUnescapeNode(str) {
  return str
    .replace(/&amp;/g, '&')
    .replace(/&lt;/g, '<')
    .replace(/&gt;/g, '>')
    .replace(/&quot;/g, '"')
    .replace(/&#39;/g, "'")
    .replace(/&#(\d+);/g, (match, dec) => String.fromCharCode(dec))
    .replace(/&([a-z]+);/gi, (match, name) => {
      const entities = { nbsp: ' ', copy: '©', reg: '®', trade: '™' };
      return entities[name] || match;
    });
}

const input = '<script>alert("XSS")</script>';
console.log(htmlEscape(input));
// Output: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

# HTML encode with Python
python3 -c "import html, sys; print(html.escape(sys.argv[1]))" '<script>alert("XSS")</script>'

# HTML decode with Python
python3 -c "import html, sys; print(html.unescape(sys.argv[1]))" '&lt;b&gt;Hello&lt;/b&gt;'

# Encode with sed (basic characters)
echo '<script>alert("XSS")</script>' | sed 's/&/\&amp;/g; s/</\&lt;/g; s/>/\&gt;/g; s/"/\&quot;/g'

# Decode with sed
echo '&lt;b&gt;Hello &amp; World&lt;/b&gt;' | sed 's/&lt;/</g; s/&gt;/>/g; s/&amp;/\&/g; s/&quot;/"/g'

# Using PHP
echo '<b>Hello & World</b>' | php -r "echo htmlspecialchars(fgets(STDIN));"
echo '&lt;b&gt;Hello&lt;/b&gt;' | php -r "echo htmlspecialchars_decode(fgets(STDIN));"

Other Tool APIs

JSON Formatter Base64 Encode/Decode URL Encode/Decode Lorem Ipsum Generator Word & Character Counter MD5 & SHA Hash Generator

View all API docs →