Escape HTML Special Characters Online

Convert HTML special characters to their entity equivalents for safe display and XSS prevention. Free online HTML entity encoder.

What is HTML Entity Escaping?

HTML entity escaping (also called HTML encoding) is the process of converting special characters that have meaning in HTML into their entity equivalents. This prevents browsers from interpreting these characters as HTML markup, ensuring they display as literal text.

For example, the less-than sign (<) becomes &lt; and the ampersand (&) becomes &amp;. This is essential for displaying code snippets, user-generated content, and preventing cross-site scripting (XSS) attacks.

Why HTML Escaping Matters

Security: XSS Prevention

Cross-Site Scripting (XSS) is one of the most common web vulnerabilities. Attackers inject malicious scripts through user input fields. When this input is displayed without escaping, the browser executes the script, potentially stealing session cookies, credentials, or performing actions on behalf of the user.

By escaping HTML entities before display, <script> becomes harmless text&lt;script&gt; that browsers render literally instead of executing.

Correct Content Display

When documenting HTML, XML, or code samples, you need to display tags as text rather than having the browser interpret them. Escaping ensures your code examples render correctly on the page.

Data Integrity

In HTML attributes, certain characters like quotes and ampersands can break the attribute syntax. Proper escaping ensures data containing these characters is stored and retrieved correctly.

Common HTML Entities

  • &&amp; (ampersand - most important, as it starts all entities)
  • <&lt; (less than - starts HTML tags)
  • >&gt; (greater than - closes HTML tags)
  • "&quot; (double quote - for attribute values)
  • '&#39; or &apos; (single quote/apostrophe)
  • /&#47; (forward slash - helps prevent tag closing injection)

When to Escape HTML

  • User Input Display: Any time you show user-submitted content on a page.
  • Code Samples: When displaying HTML, XML, or code in documentation.
  • Email Templates: HTML emails need escaped content to prevent rendering issues.
  • JSON in HTML: When embedding JSON data in script tags or attributes.
  • RSS/Atom Feeds: Feed content should be escaped to prevent XML parsing errors.

Escaping vs Sanitizing

It's important to understand the difference between escaping and sanitizing:

  • Escaping: Converts special characters to entities. All original content is preserved but rendered as text.
  • Sanitizing: Removes or modifies potentially dangerous content. Some content may be lost.

Use escaping when you want to display content exactly as entered (like in code examples). Use sanitizing when you want to allow some HTML formatting but remove dangerous elements.

Best Practices

  • Always escape output, not input (escape at the point of display).
  • Use your framework's built-in escaping functions rather than manual replacement.
  • Be aware of context—HTML attributes may need different escaping than HTML content.
  • Never rely solely on client-side escaping; always escape on the server too.
  • Consider using Content Security Policy (CSP) headers as an additional XSS defense layer.

Encoding Tools

HTML Encoder/DecoderHTML Entity EncoderURL EncoderBase64 ConverterHTML BeautifierHTML MinifierJSON FormatterText Encryptor