Example
Input (encode mode)
<script>alert("yutils")</script>Output
<script>alert("yutils")</script>
Note
The five dangerous characters `<`, `>`, `"`, `'`, `&` become entities — required when injecting user input into HTML.
Usage / FAQ
When to use
- Safely embed user input into HTML to prevent XSS (prefer framework escapes when available)
- Decode named entities like `&` or `<` back to characters
- Interpret entities in email or CMS-exported HTML
- Flatten external RSS / Atom feed content to plain text
- Look up entity codes for special characters (©, ∞, …)
FAQ
- Q.Does it support every entity?
- A.Yes — 1000+ HTML5 named entities and numeric forms (`A`, `A`). Legacy variants like Microsoft's `'` are handled for compatibility.
- Q.Does this fully prevent XSS?
- A.It escapes the five risky characters. That covers many cases, but attribute / URL / script contexts need their own rules. For production code, prefer DOMPurify or framework-provided escapes.
- Q.Are Korean characters left alone?
- A.Yes — Korean text and emoji are not entity-escaped. In HTML5 + UTF-8 that's standard.
Fun facts
There are 5 predefined entities you must escape inside HTML — `&`, `<`, `>`, `"`, `'`. Among these, `'` was officially defined starting with XHTML — it didn't exist in plain HTML 4, and only entered the standard with HTML5.
WHATWG — Named charactersThe number of named HTML entities exploded over time — 33 in HTML 2.0 (1995) → 252 in HTML 4.01 → 2,231 in HTML5 (including emoji and math symbols). HTML5's entity table is effectively un-deprecatable: removing entries would break legacy pages.
Wikipedia — HTML entitiesNumeric character references come in two forms — `©` (decimal = ©) and `©` (hex). They embed any Unicode code point directly, so every Unicode character is reachable even without a named entity — including emoji via `😀`.
MDN — Character reference
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.