AIStacker
Web

概览

HTML 实体编码器 / 解码器

在浏览器中对 HTML 特殊字符进行编码或解码,附常用实体速查表。

是什么如何使用使用示例常见使用场景常见问题

分类 hub

Web

问题

5

FAQ

4

快速跳转

查看 Hub
#html-entities#html-encode#html-decode#special-characters#xss-prevention

HTML Entity Encoder / Decoder

Encode special characters to HTML entities or decode entities back to readable text. Runs entirely in your browser.

Paste HTML here
Output

Result appears here

Quick Reference — Common HTML Entities

<&lt;
>&gt;
&&amp;
"&quot;
'&#39;
/&#x2F;
©&copy;
®&reg;
&trade;
&euro;
·&nbsp;
&mdash;

可以解决的问题

How do I display HTML code as text on a webpage?

Encode the HTML code with this tool, then wrap the output in a <pre> or <code> element. The &lt; and &gt; entities will render as visible angle brackets instead of being interpreted as tags by the browser.

Does encoding HTML entities prevent XSS?

Encoding user input before inserting it into HTML is one of the primary defenses against reflected and stored XSS. By converting < to &lt; and > to &gt;, any injected script tags become inert text. However, context matters — encoding for HTML is different from encoding for JavaScript strings or URL parameters.

Why does & in a URL break HTML validation?

HTML parsers treat & as the start of an entity reference. An unencoded & in an href attribute like href="a?x=1&y=2" is technically invalid HTML. Encode it as href="a?x=1&amp;y=2" to make the markup valid. Modern browsers handle both, but validators and strict parsers require encoding.

How do I read HTML entity-encoded content from an email or API response?

Switch to Decode mode and paste the encoded string. The tool uses the browser's native HTML parser to resolve all entities — named, decimal, and hexadecimal — back to their original characters. This is faster and more accurate than manual entity lookup.

How do I add a non-breaking space in HTML?

Use the &nbsp; entity (non-breaking space). It prevents the browser from wrapping text at that position and is invisible in the page but counts as a space character. Copy it directly from the Quick Reference table in this tool.

典型使用流程

URL DecoderBase64 Encoder / DecoderHTML 实体编码器 / 解码器URL DecoderJSON Escape and Unescape Tool

该工作流相关指南

Supporting guides that connect this tool to the broader category workflow.

打开分类 hub
Web guide

400、401、403、422:实用的 API 错误排查流程

帮助你区分请求格式错误、认证失败、权限不足和校验失败,避免团队在 API 排障时修错方向。

Web guide

为什么 Access-Control-Allow-Origin 为 * 时会在 credentials 模式下失败

从浏览器执行规则出发,解释为什么当前端发送 cookies 或带凭证请求时,`Access-Control-Allow-Origin: *` 会直接触发 CORS 阻止。

Web guide

redirect_uri 与查询参数中的 encodeURI 和 encodeURIComponent

通过真实场景解释何时应编码完整 URL,何时应只编码单个参数或嵌套值。

Web guide

如何在不过度解读每个 token 的情况下读懂 User-Agent

一份实用指南,帮助你只抓取那些真正会改变调试决策的 User-Agent 信号,例如浏览器家族、操作系统、设备类型和机器人标记。

是什么

HTML 实体编码器 / 解码器 是什么

The HTML Entity Encoder/Decoder converts special characters into their HTML entity equivalents (encoding) or reverses the process (decoding). Encoding is essential for safely displaying user-generated content in HTML, preventing XSS attacks, and embedding special characters in HTML attributes. Decoding is useful when you receive escaped HTML and need to read or process the raw text.

The tool includes a quick-reference table of the most commonly needed entities — &lt;, &gt;, &amp;, &quot;, &copy;, &nbsp;, and more — so you don't have to memorize them. Switch between encode and decode modes with one click, or use "Swap & Flip" to chain the output back into the input for round-trip testing.

如何使用

如何使用HTML 实体编码器 / 解码器

1. Choose "Encode" or "Decode" mode from the toggle.

2. Paste your text into the left panel. The result appears in the right panel immediately.

3. Click "Swap & Flip" to send the result back to the input and switch modes — useful for round-trip verification.

4. Click "Copy Result" to copy the output.

5. Click "Load Example" to prefill a sample appropriate for the current mode.

6. Use the Quick Reference table at the bottom to look up common entities.

使用示例

使用示例

Encode mode input:
<div class="greeting">Hello "World" & <Friends></div>

Encoded output:
&lt;div class=&quot;greeting&quot;&gt;Hello &quot;World&quot; &amp; &lt;Friends&gt;&lt;/div&gt;

Decode mode — paste the encoded version back to recover the original HTML.

常见使用场景

常见使用场景

1. XSS prevention: Encode user input before inserting it into HTML to prevent injection attacks.

2. HTML template authoring: Encode special characters in CMS content or email templates that don't support raw HTML.

3. API response inspection: Decode entity-encoded strings in API responses or XML feeds to read the actual content.

4. Email HTML: Encode special characters that mail clients may misinterpret as HTML tags.

5. Documentation writing: Encode code snippets containing angle brackets for display in HTML documentation.

常见问题

常见问题

What characters get encoded?v
The encoder converts the six most dangerous characters for XSS and HTML injection: < (&lt;), > (&gt;), & (&amp;), " (&quot;), ' (&#39;), and / (&#x2F;). These cover the primary attack vectors for injecting HTML or JavaScript.
Is this the same as URL encoding?v
No. HTML entity encoding is specific to HTML documents and replaces characters with &name; or &#number; sequences. URL encoding (percent-encoding) is for URL components and replaces characters with %XX sequences. Use the URL Encode tool for URL contexts.
Does it handle &copy;, &nbsp;, and other named entities?v
The decode mode handles all standard HTML named entities including &copy;, &reg;, &trade;, &nbsp;, &mdash;, and all numeric entities. The encode mode focuses on the characters that pose security risks.
Can I use this for XML entity encoding too?v
The characters encoded (&lt; &gt; &amp; &quot;) are valid XML entities as well, since XML is a superset of these escape rules. However, XML does not support named entities like &copy; — use numeric entities (&#169;) for those in XML.