HTML Encode: Convert Special Characters to HTML Entities
Convert <, >, &, quotes, and other special characters to safe HTML entities. Essential for preventing XSS vulnerabilities in web applications.
Try the free online tool
Runs entirely in your browser — no signup, no uploads.
HTML encoding converts characters that have special meaning in HTML into their entity equivalents so they are displayed as literal text rather than interpreted as markup. The less-than sign (<) becomes <, the greater-than sign (>) becomes >, the ampersand (&) becomes &, double quotes become ", and single quotes become '. This process is called HTML escaping.
Failing to HTML-encode user-supplied content before rendering it in a web page is one of the most common and dangerous web security mistakes. It leads to Cross-Site Scripting (XSS) vulnerabilities, where an attacker injects script tags or event handlers into the page. XSS attacks can steal cookies, redirect users to phishing sites, or take full control of the user's session.
This tool encodes any text to its HTML-safe equivalent. Use it to test your escaping logic, generate static HTML content, or quickly escape snippets of code for display in documentation or blog posts.
What Are HTML Entities?
HTML entities are text representations of characters that would otherwise be interpreted as HTML syntax. An entity begins with an ampersand (&) and ends with a semicolon (;). Between them is either a named reference (like lt for less-than) or a numeric reference (decimal like < or hexadecimal like <).
The most important entities to know are: < for <, > for >, & for &, " for double quotes, and ' or ' for single quotes. Beyond these, there are hundreds of named entities for special symbols, currency signs, arrows, mathematical operators, and non-ASCII characters.
Modern web development primarily uses UTF-8 character encoding, which means most non-ASCII characters can be included directly in HTML without entity encoding. However, the five structural characters (<, >, &, " , ') must always be encoded when they appear in text content or attribute values to prevent them from being interpreted as HTML.
How to Use This Tool
Encoding text for safe HTML insertion takes only a moment with this tool.
- 1
Paste the text to encode
Enter the user input, code snippet, or any text that contains characters you want to convert to HTML entities.
- 2
Choose the encoding scope
Select minimal encoding (only <, >, &, and quotes) for most use cases, or full encoding to convert all non-ASCII characters to numeric entities for maximum compatibility.
- 3
Click Encode
The tool replaces all special characters with their corresponding HTML entities.
- 4
Copy the encoded output
The encoded string is safe to insert into HTML templates, innerHTML assignments, or static HTML documents.
- 5
Verify in a browser
Paste the encoded HTML into a browser to confirm it renders as the intended text without any parsing issues.
Common Use Cases
HTML encoding is a critical safety measure in many development scenarios.
- Escaping user-submitted comments, reviews, or profile data before rendering them on a web page.
- Displaying code snippets in HTML documentation or blog posts without the browser interpreting the tags.
- Encoding email addresses or special symbols in HTML templates.
- Preparing content for insertion into HTML attribute values (href, title, alt, data-* attributes).
- Generating safe HTML email content where client rendering behaviour is unpredictable.
- Encoding API response data before injecting it into server-rendered HTML templates.
Tips and Best Practices
- Always use your framework or template engine's built-in auto-escaping rather than manual encoding; frameworks like React, Angular, and Django escape content by default.
- Encode at the point of output, not at the point of input; store raw data in your database and encode only when rendering to prevent double-encoding issues.
- When setting innerHTML in JavaScript, use textContent instead when you do not need HTML markup; textContent is always treated as plain text and never parsed as HTML.
- Do not rely on HTML encoding alone for security; combine it with a strict Content Security Policy (CSP) to limit the damage from any escaping mistakes.
- Encode content placed in JavaScript strings within HTML separately using JavaScript string escaping on top of HTML encoding, as the contexts have different injection risks.
HTML Encoding vs. HTML Sanitisation
HTML encoding and HTML sanitisation serve different purposes. Encoding converts all HTML to entities and treats the content as plain text, making it completely safe but removing all formatting. Sanitisation selectively removes or neutralises dangerous HTML while preserving safe markup like bold, italic, and links.
Use HTML encoding when you want to display text content that should never be interpreted as HTML. Use sanitisation (with a library like DOMPurify) when you need to accept rich text input and allow certain HTML tags while blocking dangerous ones like script and iframe.
Never build your own HTML sanitiser. The edge cases are numerous and well-known sanitiser libraries have been hardened against bypass techniques that would be easy to miss in a custom implementation.
Frequently Asked Questions
Why is HTML encoding important for security?
Without HTML encoding, an attacker can inject script tags or event handlers into your page by submitting malicious input like <script>alert(document.cookie)</script>. If this input is rendered without encoding, the browser executes the injected script in the context of your page, giving the attacker access to the user's session. This is a Cross-Site Scripting (XSS) attack.
Does React or Vue automatically HTML-encode content?
Yes. React encodes all text content rendered through JSX expressions by default. Vue similarly escapes text interpolations ({{ value }}). However, React's dangerouslySetInnerHTML and Vue's v-html bypass this protection, so you must manually sanitise content before using those APIs.
What is the difference between ' and ' for single quotes?
' is defined in XML and XHTML but was not part of the original HTML 4 specification. For maximum browser compatibility in HTML documents, use ' or ' for single quotes. Modern HTML5 parsers accept ', but ' is universally safe.
Should I encode text going into HTML attributes differently?
The same five characters (<, >, &, ", ') must be encoded in attribute values. Additionally, always quote attribute values with double quotes to prevent injection through unquoted attributes. For href attributes, also validate the URL scheme to prevent javascript: URLs.
When should I use named entities versus numeric entities?
Named entities like < and & are more readable and are universally supported. Numeric entities like < or < work for any Unicode character, including those without a named entity. Use named entities for the common five characters and numeric entities when you need to encode arbitrary Unicode characters.
Is it safe to store HTML-encoded data in a database?
It is better to store raw data in the database and encode it at render time. Storing encoded data creates problems: you double-encode if you encode again when rendering, search queries must account for encoded values, and the stored data is harder to process in other contexts like plain-text emails.
Does HTML encoding prevent SQL injection?
No. HTML encoding is specifically for preventing XSS in HTML output. SQL injection requires parameterised queries or prepared statements, which are a completely separate mechanism. You need both protections independently applied at the correct layer.
Ready to use this tool?
Free, instant, no account required. Runs entirely in your browser.