DevKitBase
ToolsAboutPrivacy

HTML-encode text before you drop it into markup examples

Showing `<script>` in a doc without encoding is how demos become XSS demos. Escape `< > & " '` (policy listed on page).

chars: 26
Input
Output

When to use

Blog snippets, email HTML, or teaching entities so markup doesn’t execute.

Examples

Input
<div class="x">A & B</div>
Output
&lt;div class=&quot;x&quot;&gt;A &amp; B&lt;/div&gt;
Input
<b>
Output
&lt;b&gt;

How it works

Replaces per entity map (&, <, >, quotes, etc.). Not a full sanitizer against XSS in every context.

Common pitfalls

  • Encoding ≠ sanitizing scripts in every sink.
  • Attribute vs text context rules differ.
  • Don’t mix with JSON Escape casually.

How this differs

HTML entities for markup; JSON Escape for JSON strings; URL Encode for query/path.

FAQ

Is this enough to stop XSS in my app?
Encoding helps in HTML text context; apps need contextual encoding frameworks.
Encode all Unicode?
Numeric entities optional; default common XML/HTML set.
Reverse?
HTML Decode.
Diff vs JSON escape?
Different languages/targets.

Related tools

Runs in your browser. Nothing is uploaded. Not a security product —hashes and JWT decode are for debugging, not password storage or auth advice.