HTML Entities
Escape HTML special characters as entities (& < > "), or decode entities to plain text.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What are HTML entities?
HTML entities are text representations of characters that have special meaning in HTML. For example < represents <, & represents &, and " represents a double quote. They prevent the browser from interpreting the characters as HTML markup.
Why is HTML escaping important for security?
Inserting user-supplied text into HTML without escaping creates Cross-Site Scripting (XSS) vulnerabilities. An attacker can inject <script> tags that run arbitrary JavaScript in other users' browsers. HTML escaping is the primary defence: always escape untrusted data before rendering it in HTML templates.
Which characters get escaped?
The five critical characters: < → <, > → >, & → &, " → ", and ' → '. Most templating engines (Jinja2, Django, React JSX) do this automatically — manual escaping is only needed when bypassing the auto-escape.