Escape HTML special characters to make text safe for use inside HTML. This is the same operation as HTML encoding, characters like <, >, &, and " are replaced with their entity equivalents so they display correctly in browsers.
Encoding uses a lookup map to replace characters like <, >, and &with their named HTML entities. Decoding uses the browser's built-in DOMParser to reverse the process. Both run entirely in your browser. No server required.
All encoding and decoding happens locally in your browser tab. Our servers are not involved at any point.
For percent-encoding URL components, try URL encode. To encode binary blobs or images as text, use Base64. For previewing escaped markup, see the Markdown preview.
They are the same operation. Both terms refer to replacing special HTML characters with their entity equivalents to prevent them from being interpreted as markup. 'Escaping' is the term more commonly used in a security context.
Any time you insert dynamic content into an HTML document, from a database, user input, or API response. Modern templating systems and frameworks auto-escape by default, but understanding manual escaping is still important.
HTML escaping prevents injection into HTML text contexts. For other contexts (JavaScript, CSS, URLs, HTML attributes without quotes) different escaping rules apply. Always use context-appropriate escaping.