HTML Encode

Convert special characters to HTML entities — prevent XSS attacks and display HTML safely in web pages.

What is HTML Encoding?

HTML encoding converts special characters that have meaning in HTML markup into their corresponding HTML entities — text representations that browsers display as the literal character rather than interpreting as HTML. This is a fundamental security and correctness practice in web development.

The five most critical characters to encode are: & (ampersand → &amp;), < (less-than → &lt;), > (greater-than → &gt;), " (double quote → &quot;), and ' (single quote → &apos; or &#39;). Without encoding these characters, user-supplied content can be interpreted as HTML markup, leading to Cross-Site Scripting (XSS) vulnerabilities.

HTML encoding is required whenever you insert dynamic text content into an HTML page — in element content, attribute values, meta tags, JavaScript strings within HTML, and JSON embedded in HTML. Modern web frameworks like React, Vue, and Angular automatically HTML-encode dynamic content, but vanilla JavaScript and older PHP code requires explicit encoding.

The "encode all chars" option converts every character to its numeric HTML entity (&#XX;), which is useful for obfuscating email addresses from spam bots, encoding content for unusual contexts, or ensuring maximum ASCII-safe output.

Frequently Asked Questions

Why do I need to HTML encode user input?
Without HTML encoding, a user who enters <script>alert('XSS')</script> as their name could have that script execute in other users' browsers when their name is displayed. HTML encoding prevents this by turning the angle brackets into &lt; and &gt; which are displayed as literal characters, not executed as HTML.
What's the difference between HTML encoding and URL encoding?
HTML encoding converts characters to HTML entities (&lt;, &amp;, etc.) for safe display within HTML documents. URL encoding converts characters to percent-encoded sequences (%3C, %26, etc.) for safe inclusion in URLs. Both are needed in web development, but in different contexts.
Does PHP's htmlspecialchars() do the same thing?
Yes, PHP's htmlspecialchars() encodes &, <, >, " and optionally ' — exactly what this tool does in its default mode. htmlentities() also encodes all non-ASCII characters to their HTML entity equivalents.

Related Tools

HTML Decode Encoding Tools URL Encode Encoding Tools Base64 Encode Encoding Tools HTML Formatter Encoding Tools Meta Tag Generator Encoding Tools