HTML Entity Encoder/Decoder
Convert special characters to/from HTML entities — for XSS-prevention checks and proper escaping.
Runs 100% client-sideOn this page4 sections
| Character | Named entity | Numeric entity |
|---|---|---|
| < | < | < |
| > | > | > |
| & | & | & |
| " | " | " |
| ' | ' | ' |
| (NBSP) | |   |
| © | © | © |
| ® | ® | ® |
| ™ | ™ | ™ |
| — | — | — |
| … | … | … |
| € | € | € |
HOW TO USE
- 01Encode escapes the five HTML-significant characters: <, >, &, ", '.
- 02Decode understands both named entities (&) and numeric entities (&, &).
- 03Use the reference table for the most common entities — handy when reviewing rendered HTML in a test failure screenshot.
WHEN TO USE
Use this when you need to safely embed user-supplied text in HTML without risking XSS, or when reviewing HTML that uses named or numeric entities and you want to see the actual characters. Encode before inserting any string into raw HTML — it escapes the five dangerous characters (<, >, &, ", ') that browsers treat as markup. Use Decode when a test failure screenshot or server response shows entity strings like &, <, or < and you need to read the original text.
WHAT BUGS THIS FINDS
XSS via unescaped output
User-supplied text rendered directly into HTML without encoding allows script injection — Encode shows the escaped form the template should produce; compare it against the actual browser output.
Double-encoding of ampersands
An already-encoded & passed through another encoding layer becomes &amp; — Decode reveals the extra layer so you can find where the double-encode is happening.
Named vs numeric entity mismatches
Some parsers accept ' while others require ' — Decode normalises both to the character so you can confirm they represent the same value.
Smart quote corruption
Copy-pasted text from word processors contains curly quotes (‘, ’) that some strict parsers require as numeric entities — Encode surfaces the correct ‘ form.
QA USE CASES
XSS output escaping verification
Encode a known XSS payload and compare the result character-by-character against what the application actually renders — any unescaped < or > is a finding.
Test failure message decoding
Decode an entity-encoded error string from a Selenium or Playwright assertion log to read the original text that caused the mismatch.
Template output verification
Encode the expected user input, then compare against what the template renders to confirm the escaping layer covers all five HTML-significant characters.