UtilToolkits2025-12-20
TL;DR — The HTML Entity Encoder converts any character to its named or numeric HTML entity (and back). For generic source-code escaping use the String Escaper; for cleaning up pasted text that already contains entities, the Text Cleaner.
HTML reserves a handful of characters for syntax: < and > start and end tags, & starts an entity, " and ' wrap attribute values. To display any of those as literal content, you replace them with their entity form. The browser decodes back to the original character at render time.
| Character | Named entity | Numeric |
|---|---|---|
< | < | < |
> | > | > |
& | & | & |
" | " | " |
' | ' | ' |
© → ©® → ®™ → ™— → —– → –… → … → non-breaking space× → ×→ → →HTML-encoding user-supplied text before inserting it into a page is the primary defense against cross-site scripting (XSS). A user comment containing <script>alert(1)</script> rendered raw runs the script; rendered after entity-encoding it appears as harmless text. Modern frameworks (React, Vue, Svelte) auto-escape — but if you’re ever inserting raw HTML (dangerouslySetInnerHTML), entity-encode first.
Named (e.g. ©) is more readable. Numeric (e.g. ©) works in XML and older parsers too. Both render identically in HTML5.
No — modern HTML5 with UTF-8 handles most characters directly. Only the reserved ones (< > & ") must be encoded. Entity-encode others only when your output context forces ASCII.
showing up everywhere in my text?Word processors and CMS exports insert non-breaking spaces between words. They prevent line wrapping but break searches and CSV imports. Run pasted text through the Text Cleaner to normalize.