WordInstant

HTML entities.

Escape < > & " ' to HTML entities, or decode named and numeric entities back to plain text. Browser-only, no upload.

Tool 08EncodersLive100% local
§ When to escape

Markup that stays safe.

Escape user-supplied text before inserting it into HTML so tags render as characters rather than DOM nodes.

Which characters does it escape?

The five minimally required for safe HTML insertion: & < > " '. This is enough for all common XSS-safe interpolation. Additional characters can be decoded but are not re-encoded since their literal forms are safe.

Does it handle numeric entities?

Yes on decode. Both decimal (&#39;) and hex (&#x1F600;) forms are supported, which lets you decode emoji and unusual symbols correctly.

Is this enough to prevent XSS?

Escaping is necessary but not sufficient. Use it when inserting text into HTML, but never when building `<script>` contents, `on*` attributes, or URLs — those need context-specific encoding.

Related toolsmore in the index →

URL Encoder / DecoderPercent-encode or decode URLs, live.Base64 Encoder / DecoderTwo-way Base64 for text, UTF-8 safe.JSON FormatterPretty-print, validate, or minify JSON.Markdown PreviewerLive Markdown preview, side-by-side.