HTML Entity Encode / Decode
Escape text into HTML entities, or decode entities back to plain text.
Result appears here.
Runs in your browser. Your input is not uploaded to PayloadIQ.
HTML entities let you put characters that are special to HTML — &, <, >, and quotes — into markup as literal text instead of having the browser treat them as tags or attribute boundaries. Encoding escapes those five characters; decoding reverses the named entities and also resolves numeric forms like ' and / back to their code points.
One caveat: this is escaping, not sanitisation. Encoding text before you drop it into a page prevents that text from being parsed as HTML, but it is not a substitute for a real sanitiser when you are accepting rich markup. Decoding here is done with explicit maps and String.fromCodePoint — never innerHTML — so pasting hostile markup can never execute.