HTML-encode text before you drop it into markup examples
Showing `<script>` in a doc without encoding is how demos become XSS demos. Escape `< > & " '` (policy listed on page).
chars: 26
When to use
Blog snippets, email HTML, or teaching entities so markup doesn’t execute.
Examples
How it works
Replaces per entity map (&, <, >, quotes, etc.). Not a full sanitizer against XSS in every context.
Common pitfalls
- Encoding ≠ sanitizing scripts in every sink.
- Attribute vs text context rules differ.
- Don’t mix with JSON Escape casually.
How this differs
HTML entities for markup; JSON Escape for JSON strings; URL Encode for query/path.
FAQ
Is this enough to stop XSS in my app?
Encoding helps in HTML text context; apps need contextual encoding frameworks.
Encode all Unicode?
Numeric entities optional; default common XML/HTML set.
Reverse?
HTML Decode.
Diff vs JSON escape?
Different languages/targets.
Related tools
Runs in your browser. Nothing is uploaded. Not a security product —hashes and JWT decode are for debugging, not password storage or auth advice.