mytoolstash / developer tools / html-entities

$ escape --html

HTML Entity Encoder / Decoder

Escape special characters for safe display in HTML, or decode entity-encoded text back to plain characters.

Why escape HTML

Characters like <, >, &, and quotes have structural meaning in HTML. Displaying user-supplied text without escaping them is the classic path to broken layouts and cross-site scripting (XSS) attacks. Escaping converts them into harmless entity references the browser renders as visible characters.

The five essential entities

&amp; for & · &lt; for < · &gt; for > · &quot; for double quote · &#39; for single quote. Escaping these five covers safe insertion into element content and attribute values.

Note for frameworks

Modern frameworks (React, Vue, most template engines) escape output automatically. Manual escaping matters when building HTML strings by hand, writing to innerHTML, generating emails, or storing display-ready content.