HTML Entity Converter
Escape special characters like <, >, & into HTML entities, or unescape entities like & back into characters.
What is the HTML Entity Converter?
Ever tried to display a `<script>` tag or special characters on a webpage, only to have them break the layout or execute as code? This tool solves that by escaping text into safe HTML entities. Paste your content, and it instantly converts it to a format like `<script>`. You can also unescape entities back to their original form. All conversions happen entirely in your browser, so your data is never sent to a server. Choose from modes like `Basic` for XSS prevention, `Named entities` for readability, or `All` for maximum compatibility. It even includes a reference table to find and copy any entity you need.
How to use
- Paste the text or HTML you want to convert into the 'Input' box.
- The converted result appears in the 'Result' box as you type.
- Select a direction: '→ Escape' to encode characters or '← Unescape' to decode entities.
- When escaping, choose a scope: 'Basic', 'Named entities', or 'All (non-ASCII)'.
- Optionally, use 'Keep Korean characters' or set the 'Number format' for numeric entities.
- Click 'Copy' to get the result, or use '⇅ Result to input' to swap the text and continue working.
HTML Entity Converter guide
How this tool is used in real work, and what to watch out for.
Escaping is the Heart of XSS Prevention
A user posts a comment that starts with a `<script>` tag. If you render this text directly into HTML, the browser reads it as code and executes it. That code could do anything, like stealing other users' session cookies. This is called a stored XSS attack.
The solution isn't glamorous: just replace `<` with `<` during output. The browser then reads it not as the start of a tag, but as the 'less than' character. It appears on the screen exactly as the user wrote it, and nothing gets executed. This is precisely what the "Basic" mode of this tool does.
- The golden rule is to escape on output, not filter on input. Input filters have a long history of being bypassed, but output escaping is foolproof.
- Template engines like EJS (`<%= %>`), React (`{...}`), and Vue (`{{...}}`) escape by default. Conversely, syntax like `<%- %>`, `dangerouslySetInnerHTML`, `v-html`, and `innerHTML` is for turning escaping *off*. The moment user input enters one of those, you have a security incident waiting to happen.
- This tool is for manually generating values to test in your code or for inspecting already-escaped strings. Your actual defense should be left to your template engine to handle automatically.
The Right Escaping Depends on the Context
The saying "HTML escape it and you're safe" is only half true. The same value carries different risks depending on whether it's placed between tags, inside an attribute value, or within a script.
| Context | Required Action | The Risk |
|---|---|---|
| Between tags (body text) | HTML escape (this tool's "Basic" mode) | Tags are executed |
| In an attribute (e.g., `title="..."`) | HTML escape + always wrap value in quotes | An attacker can close the quote and inject new attributes like `onerror` |
| Inside a `<script>` tag | JSON serialization. HTML escaping will break the code. | Code injection via string escaping |
| In a URL (e.g., `href="..."`) | URL encode + block `javascript:` scheme | A `javascript:...` URL can be executed |
| In a CSS value | Use a dedicated CSS escaper (don't write your own) | CSS-based exploits |
The ` ` Trap: The Invisible Space
` ` (non-breaking space) is a space character that prevents line breaks. It was designed for keeping things together, like "ACME Inc.", but in practice, it usually sneaks in for other reasons—most often when copying text from Microsoft Word, Google Docs, or a WYSIWYG editor.
Why is this a problem? Because on screen, it looks just like a regular space, but to your code, it's a completely different character: U+00A0.
- Search breaks. If "ice cream" is saved in your database with an ` `, searching for "ice cream" with a regular space will return no results. Users will report that search is broken for items they know exist.
- `trim()` fails. Depending on the language, the standard `trim()` function might not include U+00A0 in its list of whitespace characters, failing to remove it. The behavior of regex whitespace classes (`\s`) also varies by environment.
- Number parsing fails. If you copy "1 000" from a spreadsheet and the space is an ` `, converting it to a number will fail.
Why Is 'Keep Korean Characters' the Default?
The "Keep Korean characters" checkbox is enabled by default. That's because the modern web is almost entirely UTF-8, so there's little reason to convert Korean characters into numeric references like `가`. Doing so just increases the data size (a single character becomes 8+ bytes) and makes the source code unreadable, which harms maintainability. Still, the "All" mode and this checkbox exist as an option because some environments still require it.
- When you need to insert an HTML snippet into an old system where you can't control the `charset`.
- When you need to reliably display Korean on a screen with a fixed encoding like EUC-KR, such as a legacy email-sending system or an old SMS admin panel.
- When you're exchanging XML or RSS feeds that might not have an encoding declaration.
What to Watch Out for When Unescaping
Unescaping is the reverse of escaping, but the process isn't perfectly symmetrical. This is where mistakes are often made.
- Double Escaping. Unescaping `&lt;` once gives you `<`. You have to unescape it a second time to get `<`. If you see `<` rendered literally on your page, it means something in your pipeline has been escaped twice.
- Missing Semicolons. If an entity is missing its closing semicolon, like ` `, this tool will not convert it and will instead report that "N unknown entities were left as-is". While browsers are lenient and may interpret some of these, you should never rely on that leniency.
- Never put an unescaped value directly into `innerHTML`. An unescaped string is once again potentially dangerous HTML. The purpose of unescaping is to 'view the original text of a stored value,' not to prepare it for output.
Frequently asked questions
Which characters get converted?
'Basic' mode escapes the 5 essential HTML characters: & < > " '. 'Named entities' also converts symbols like © to `©`. Unescaping restores named, decimal, and hex entities.
Is the data I enter processed securely?
Yes, absolutely. This tool runs entirely in your web browser. Nothing you type is sent to a server, making it safe to use with sensitive code or private information.
When should I use HTML escaping?
Mainly for security, to sanitize user input and prevent XSS attacks before displaying it on a page. It's also used to show code snippets, like `<div>`, as literal text.
How do I use the 'Commonly used entities reference'?
It’s a quick lookup table. Search by character (©), name (nbsp), or description (arrow). Click any item to instantly copy its named entity (e.g., ` `) to your clipboard.