Encode special characters to HTML entities, decode HTML back to plain text, or strip all HTML tags. Browser-based, instant, private.
| Character | Named entity | Numeric | Use case |
|---|---|---|---|
| & | & | & | Must-escape in HTML attributes and content |
| < | < | < | Must-escape to prevent tag injection |
| > | > | > | Must-escape (less critical but recommended) |
| " | " | " | Must-escape inside quoted attributes |
| ' | ' | ' | Escape inside single-quoted attributes |
| | Non-breaking space | ||
| © | © | © | Copyright symbol |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark |
| → | → | → | Right arrow |
<script> tags or event handlers — this is a Cross-Site Scripting (XSS) attack, one of the most common web vulnerabilities. Encoding converts < to < so the browser displays it as text rather than interpreting it as HTML. Always encode user input before inserting it into HTML. Modern frameworks like React and Vue do this automatically; raw DOM manipulation in JavaScript does not.