Are named entities like `©` supported?

Yes. All HTML5 named entities are handled, plus decimal and hex numeric references.

Is encoding alone enough to prevent XSS?

It is necessary but not sufficient. Context matters — attribute values, URLs, and JavaScript strings need their own escaping rules.

HTML Entity Encode / Decode

Encode special characters like `<`, `>`, `&`, and `"` into HTML entities, or decode entities back to their original characters. Named and numeric entities are both supported.

Runs locally in your browser

Plain text

0 chars · 1 line

Encoded HTML

Output will appear here…

Entity style

Encode every non-ASCII character

URL Encode / Decode

Percent-encode URLs and query parameters, and decode them.

String Escape / Unescape

Escape strings for JSON, HTML, URL, JavaScript, or SQL.

Unicode Escape / Unescape

Convert characters to `\uXXXX` escape sequences and back.

About HTML Entity Encode / Decode

Encode special characters like `<`, `>`, `&`, and `"` into HTML entities, or decode entities back to their original characters. Named and numeric entities are both supported.

HTML Entity Encode / Decode is part of FizzKit — a collection of focused, browser-based tools. Because everything runs locally, it works offline once loaded and never exposes your data to a remote server.

Frequently asked questions

Whenever user input is rendered into HTML. Encoding prevents XSS by neutralizing `<script>` tags and attribute-break attacks.

Related tools