About HTML Entity Encode

Convert characters to HTML entities. Part of the DevTools Surf developer suite. Browse more tools in the Text / String collection.

Use Cases

• Escaping user-generated content before rendering in HTML
• Preparing code snippets for display in blog posts
• Encoding special characters in HTML email templates
• Sanitizing database text fields for safe web display

Tips

• Encode user input to prevent XSS in rendered HTML output
• Convert special characters like < > & before embedding in pages
• Use named entities for readability when hand-editing HTML

Fun Facts

• HTML 4.0 defined 252 named character entities, while HTML5 expanded the list to over 2,200 named references.
• The &amp; entity is the most commonly used HTML entity, required whenever a literal ampersand appears in HTML content.
• Character entity references were part of SGML long before HTML; they date back to the 1986 ISO 8879 standard.

FAQ

When do I need to HTML-encode text?

Whenever user-provided text is inserted into HTML without a templating engine. Encoding prevents XSS: `<script>` becomes `&lt;script&gt;` and renders as visible text.

Which characters get encoded?

The five dangerous ones: &, <, >, ", '. Toggle 'aggressive' to also encode non-ASCII characters as numeric entities for maximum portability.

Should I use this or my framework's escape function?

Always prefer the framework (React's default, Vue's {{ }}, Angular's interpolation). This tool is for raw HTML contexts — emails, static files, one-off patches.

Does it encode newlines?

No — `\n` isn't dangerous in HTML. If you need to convert newlines to `<br>`, use a separate nl2br helper. Encoding is about escaping, not formatting.