The XSS defense you should never skip
Five characters cause most of the trouble in HTML: &, <, >, ", and '. Leave them unencoded in user-generated content and you’ve got a cross-site scripting vulnerability. A user submits <script>alert('oops')</script> in a comment form, your page renders it without encoding, and now arbitrary JavaScript runs in every visitor’s browser.
Encoding converts those five characters to safe entity equivalents: &, <, >, ", '. The browser displays them as visible text instead of interpreting them as markup. Paste your text here and grab the encoded output that appears instantly.
The five characters and why they matter
& → &, starts entity references. Without encoding, © in your user’s text becomes a © symbol.
< → <, opens tags. Unencoded, <img src=x onerror=alert(1)> becomes an actual image tag that runs JavaScript.
> → >, closes tags. Encode it for consistency.
" → ", breaks out of attribute values. " onmouseover="alert(1) inside an unencoded attribute is an injection.
' → ', same deal with single-quoted attributes.
When you need to do this manually
Most frameworks, React, Django, Rails, Laravel, auto-encode output by default. But there are times you’re working outside a framework. Building an HTML email template by hand. Writing raw HTML for a static site. Preparing code examples for a tutorial where you want <div> to appear as text rather than creating an actual div element.
That’s when you paste your text here and let the encoder handle the five characters. Everything else passes through unchanged.
For decoding entities back to characters, use the HTML Decoder. The HTML Entities Reference has a full searchable table of every available entity.
FAQ
Is this the same as URL encoding?
No. HTML encoding produces entities like &. URL encoding produces percent-encoded sequences like %26. Different problems, different solutions.
Will this stop all XSS?
Encoding these five characters handles the majority of reflected and stored XSS in HTML content. But XSS prevention is deeper than that, you also need to handle JavaScript contexts, CSS injection, and URL attributes. Entity encoding is necessary but not always sufficient by itself.
Can I encode a whole HTML document?
Technically yes, but it would encode all your tags too, making the document non-functional. This is meant for encoding text content that goes inside HTML, not entire documents.
Client-side?
Yes, JavaScript in your browser, nothing sent anywhere.