What HTML entity escaping is for
A browser reads <, > and & as
instructions, not as text. The moment one of those characters appears in content where the
parser expected plain text, the page can break — a tag opens that should not, an attribute
value is cut short, or, in the worst case, a script someone slipped into a comment field
actually runs. Entity escaping replaces each risky character with a safe stand-in
(an entity) that displays as the original glyph but carries no structural
meaning. This tool does that conversion both ways: encode raw text into entities, or decode
entities back into the characters they represent.
A worked example
Suppose a user types <img src=x onerror=alert(1)> into a comment box and you
drop it straight into your page. The browser sees a real image tag and fires the
onerror handler — a classic cross-site scripting (XSS) attack. Encode it first and
it becomes inert text:
<img src=x onerror=alert(1)>Now the browser prints the literal angle brackets instead of building an element, and nothing executes. Paste that encoded string into the Decode tab and you get the original text back — safely, because decoding here never inserts live markup into the page.
The five characters that must be escaped
Modern UTF-8 pages render accented letters and symbols natively, so you rarely need to escape them. These five, however, are reserved and should be escaped whenever text is embedded in markup:
| Glyph | Named entity | Numeric | Why it matters |
|---|---|---|---|
& | & | & | Starts every entity, so it must be escaped first. |
< | < | < | Opens an HTML tag. |
> | > | > | Closes an HTML tag. |
" | " | " | Ends a double-quoted attribute value. |
' | ' | ' | Ends a single-quoted attribute value. |
Note that ' is valid in XML but not in legacy HTML, which is why the
numeric ' is the safer choice for the apostrophe.