Escape and unescape HTML safely
Paste text to convert HTML-significant characters into entities, or paste entity-encoded text to turn it back into readable characters. Encoding escapes the four characters that matter most — & < > " and the apostrophe — so your text displays exactly as written instead of being read as markup. It all runs in your browser.
Why entities exist
Some characters are part of HTML's own syntax. An unescaped < can start a tag, and a stray & can begin an entity, so pasting raw text into a page can break the layout — or, with user-supplied text, open the door to cross-site scripting. Converting those characters to entities like < and & makes the text safe to display.
Common entities
- & → &
- < → < and > → >
- " → " and ' → '
Frequently asked questions
What are HTML entities?
HTML entities are codes that represent characters which have special meaning in HTML or can't be typed directly. For example, the less-than sign becomes < and an ampersand becomes &, so the browser displays the character instead of interpreting it as markup.
When should I encode HTML entities?
Encode any text you're inserting into HTML that came from users or other untrusted sources, and any code samples you want shown literally. Escaping the characters <, >, &, and quotes prevents the text from breaking your markup or enabling injection.
Is encoding HTML entities the same as security sanitizing?
Escaping entities is an important part of preventing cross-site scripting when displaying text, but full sanitizing of rich HTML input needs a dedicated library. Use entity encoding for plain text output, and a vetted sanitizer when you must allow some HTML.