Example
Input (encode mode)
<script>alert("yutils")</script>Output
<script>alert("yutils")</script>
Note
The five dangerous characters `<`, `>`, `"`, `'`, `&` become entities — required when injecting user input into HTML.
Usage / FAQ
When to use
- Safely embed user input into HTML to prevent XSS (prefer framework escapes when available)
- Decode named entities like `&` or `<` back to characters
- Interpret entities in email or CMS-exported HTML
- Flatten external RSS / Atom feed content to plain text
- Look up entity codes for special characters (©, ∞, …)
FAQ
- Q.Does it support every entity?
- A.Yes — 1000+ HTML5 named entities and numeric forms (`A`, `A`). Legacy variants like Microsoft's `'` are handled for compatibility.
- Q.Does this fully prevent XSS?
- A.It escapes the five risky characters. That covers many cases, but attribute / URL / script contexts need their own rules. For production code, prefer DOMPurify or framework-provided escapes.
- Q.Are Korean characters left alone?
- A.Yes — Korean text and emoji are not entity-escaped. In HTML5 + UTF-8 that's standard.
Fun facts
There are 5 predefined entities you must escape inside HTML — `&`, `<`, `>`, `"`, `'`. Among these, `'` was officially defined starting with XHTML — it didn't exist in plain HTML 4, and only entered the standard with HTML5.
WHATWG — Named charactersThe number of named HTML entities exploded over time — 33 in HTML 2.0 (1995) → 252 in HTML 4.01 → 2,231 in HTML5 (including emoji and math symbols). HTML5's entity table is effectively un-deprecatable: removing entries would break legacy pages.
Wikipedia — HTML entitiesNumeric character references come in two forms — `©` (decimal = ©) and `©` (hex). They embed any Unicode code point directly, so every Unicode character is reachable even without a named entity — including emoji via `😀`.
MDN — Character reference
Related guides
- How UTF-8 Encodes Text
Why a Korean character takes 3 bytes, what a Unicode codepoint is, how UTF-8's variable-length scheme stays ASCII-compatible, the BOM, surrogate pairs, and the bugs that come from byte-vs-character confusion.
- How HTML Parsing Works
The HTML5 parser is famously forgiving — it recovers from missing tags, lets <br/> and <br> coexist, and never throws on malformed input. Here's the state machine behind that magic, why void elements exist, and how XML strictness compares.
- How XSS Actually Works
Reflected vs stored vs DOM-based XSS, why innerHTML is the dragon, why escaping the wrong context fails (HTML attribute vs URL vs JS), DOMPurify, Trusted Types, and the actual CSP rules that block the most attacks.
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.