Which characters get escaped?

Five "must-escape" characters: & " and '. These are the minimum set needed to safely embed text in HTML.

When should I HTML-encode user input?

Always — when rendering untrusted text into HTML. It is the simplest defence against XSS.

Files never leave your device

Convert special characters to their HTML entity equivalents (&, <, >, ", ') and decode them back to plain text.

Input

Output