Free HTML Entity Encoder & Decoder
Escape special characters to HTML entities · or decode &-style entities back to readable text.
Frequently asked
Which characters must be escaped in HTML?
At minimum & < > in content, plus " and ' inside attributes. Escaping user input this way is the core defense against reflected and stored XSS · the browser renders the text instead of parsing it as markup.
Does escaping replace the need for a CSP?
No · they're layers. Output escaping prevents most XSS at the source, and a Content-Security-Policy limits the damage if something slips through. Ship both; SimplyScan checks both.
Run a full security scan →