HTML Entity Converter
Securely escape and unescape HTML special characters. Includes settings for handling quotation marks.
πLearn about the importance of escaping and XSS prevention
What is HTML Escaping (Entity Encoding)?
Escaping is the process of converting characters that have special meaning in HTML (meta-characters) into safe string representations (entities) so the browser interprets them simply as "text". This is a mandatory process in web applications when displaying user input on the screen.
Why is escaping necessary? (XSS Prevention)
Failing to escape data can lead to "XSS (Cross-Site Scripting)", a critical vulnerability.
If a malicious user inputs code like <script>alert('attack')</script> into a form and it is output directly to the screen, the browser interprets it as "executable JavaScript". This can cause severe damage, such as session hijacking (stealing cookies), redirection to fake sites, or forcing unauthorized actions.
List of the Main Special Characters Converted
In web security best practices, these are the "5 special characters" that must always be escaped.
- β’
&(Ampersand) β & : This must be converted first, as it is used as the starting character for HTML entities. - β’
<(Less than) β < : Prevents the start of an HTML tag. - β’
>(Greater than) β > : Prevents the end of an HTML tag. - β’
"(Double quote) β " : Prevents strings from breaking out of HTML tag attribute values (like href or value). - β’
'(Single quote) β ' : Like double quotes, used for escaping attribute values. (* ' is not recommended due to lack of support in older IE, so the numeric character reference ' is preferred)
Input (HTML)
Escape Options
Output (Entity String)
About Security
All data is processed within your browser. It is never sent to external servers. Use with peace of mind.