HTML Entity Encoder

Escape &, <, > and quotes into HTML entities live as you type — with an option to encode every non-ASCII character. Nothing leaves your browser.

Advertisement

How to escape text for HTML

  1. Paste the text — code snippets, user input, anything with <, >, & or quotes. Encoding happens live.
  2. Tick encode non-ASCII if the HTML must survive systems without reliable UTF-8, like email templates.
  3. Copy the result into your markup. Use ⇄ Swap to flip the output back through the decoder and verify it round-trips.

Why these five characters matter

HTML gives &, < and > structural meaning, so putting them in content raw either breaks rendering or — when the text comes from users — opens the door to script injection. Escaping turns them into character references (&amp;, &lt;, &gt;) that display as the original characters but can never be parsed as markup. Quotes get the same treatment because they terminate attribute values. Typical uses: showing code examples on a web page, embedding snippets in blog CMSes that don't auto-escape, preparing text for XML/RSS feeds, and sanity-checking what a template engine should be producing.

Frequently asked questions

Which characters must be escaped in HTML?

At minimum &, < and > in content, plus double and single quotes inside attributes — exactly the five this tool escapes by default.

When do I need to encode all non-ASCII characters?

When the HTML might travel through systems without reliable UTF-8 — legacy email clients, old CMS templates. The option converts é, em-dashes and emoji to numeric entities that survive any encoding.

Does escaping prevent XSS attacks?

Escaping user input before inserting it into HTML content is the core defense against reflected XSS. But attribute, URL and JavaScript contexts each have their own rules — use your template engine's auto-escaping in production.

Is my text sent anywhere?

No — encoding runs entirely in your browser. Nothing is transmitted or stored.

Advertisement

More free tools