🚀 Quick Start

Enter content (HTML or already‑escaped text) in the textbox
Choose Encode or Decode
Click the button to convert; the result appears in the same textarea
Click Copy to reuse the result

📌 Common Scenarios

User Comments: Escape user-submitted comments to prevent XSS attacks
Blog Posts: Display HTML code examples in articles
Forum Posts: Safely display user-generated content
Chat Messages: Prevent malicious code spread through chat features
Form Data: Process and display form submission data
Code Display: Show HTML/JavaScript code snippets on web pages

🎛️ Escaping Rules & Entities

Common characters: < > & " ' (slash / is generally not required; context‑dependent)
Entity Format: Special characters are converted to &entity; or &#code; format, e.g., < becomes &lt; or &#60;
Attribute Escaping: Quotes convert to &quot;, protecting HTML attribute values
Script Protection: <script> tags automatically escaped to prevent JavaScript injection
Write <div> as <div> to avoid being parsed by the browser

🧭 Usage Advice

Context-aware Escaping: Choose appropriate escaping strategy based on output location
Server-side Processing: Critical security escaping should be done server-side
Double Check: Verify output after escaping to ensure nothing is missed
Use Libraries: Production environments should use mature escaping libraries instead of manual processing
Preview Check: Preview actual display in browser console after escaping

⚠️ Limitations & Compatibility

Not a sanitizer: does not remove scripts/events/unsafe protocols; use with content sanitization
Incomplete Protection: Escaping alone cannot prevent all XSS, combine with other security measures
Context Dependent: Different locations require different escaping strategies (HTML content, attributes, JavaScript, CSS)
To keep the page responsive, very large text may be processed more simply. Consider splitting

🔒 Privacy & Security

All processing happens in your browser; data never leaves your device

❓ FAQ

What is an XSS attack?

XSS (Cross-Site Scripting) is when attackers inject malicious scripts into web pages to steal user information or perform malicious operations. HTML escaping is a fundamental defense against XSS

When is HTML escaping needed?

Escaping is needed when displaying any user input, including comments, messages, form data, etc. Any content that might contain HTML tags needs escaping

What's the difference between &lt; and &#60;?

Both represent < (less‑than). &lt; is a named entity (lt = less‑than); &#60;/&#x3C; are numeric/hex entities. In modern HTML they behave the same: use &lt; for readability; use &#60;/&#x3C; when named entities aren’t supported or for arbitrary characters/cross‑markup. Always keep the trailing semicolon (e.g., &lt;); without it, parsing may glue to following letters, e.g., “&notin” is read as “&not;”+“in” → “¬in”

Does escaping prevent all JavaScript injection?

No. HTML escaping only works in HTML context. JavaScript, CSS, and URL contexts require different escaping methods

Why do I sometimes see &amp;lt; double escaping?

This happens when content is escaped twice. First < becomes &lt;, then & is escaped to &amp;, resulting in &amp;lt;. Avoid repeated escaping

How to allow some safe HTML tags?

Use sanitization (not just escaping): allow‑list safe tags/attributes and filter protocols. Keep only p/br/ul/ol/li/a/strong/em/code/pre/blockquote/h1–h3; for a allow only href/title/target (protocols http/https/mailto/tel), for img only src/alt; remove style and all on* events. Recommend DOMPurify/sanitize‑html; sanitize on the server when possible; never insert untrusted content into innerHTML/dangerouslySetInnerHTML; use textContent for plain text