Embedding user content in HTML without escaping it is one of the most common ways a site gets popped. The ChrysoKit HTML Entity Encoder gives you safe, paste-ready output in either direction.
Why use it
Manual entity escaping is painful and easy to get wrong. A dedicated tool makes the round-trip obvious and mistake-free.
How to use the HTML Entity Encoder
- Pick encode or decode.
- Paste your text or HTML.
- Choose between named, numeric or hex entities.
- Copy the safe output and paste it where it belongs.
Features worth knowing
Named, numeric, hex
Output entities as &, & or & depending on what your toolchain expects.
Round-trip safe
Encode then decode and the original text is preserved exactly.
Selective encoding
Optionally encode only the unsafe characters and leave the rest readable.
Pro tips
- Inside HTML attributes, encode quotes too. Otherwise an attacker can break out of the attribute.
- Named entities (&) are the most readable, but numeric entities work in every context.
- Encoding is not a substitute for templating frameworks that escape output by default. Use both.
Privacy first. The HTML Entity Encoder runs entirely in your browser. Nothing you enter is sent to a server.
When in doubt, encode. The HTML Entity Encoder is the one-step tool that makes 'safe by default' easy.
Open the tool: HTML Entity Encoder →