HTMLエンティティエンコーダー / デコーダー
HTML特殊文字のエンコード・デコード
Common HTML Entities
ツールについて
HTML エンティティエンコーダは <、>、&、" など HTML で特別な意味を持つ文字を <、>、&、" などのエンティティ参照に変換します。ユーザー入力を画面に出すときは必ずエンコードして、テキストとして扱わせるのが XSS 対策の基本です。
使い方
- Pick Encode to convert raw characters into HTML entities, or Decode to do the reverse.
- Paste the text or HTML snippet into the input box.
- Read the encoded or decoded output on the right.
- Click Copy to grab the result for use in your template, email, or doc.
- Use the entity reference card at the bottom as a quick lookup for common characters.
主な使用例
- Sanitising user-generated content before injecting it into a server-rendered page.
- Embedding code snippets that contain < and > inside a Markdown or HTML document.
- Preparing email HTML so apostrophes and ampersands render correctly across clients.
- Decoding scraped HTML where entities like &quot; were double-encoded.
- Verifying that an output escapes correctly before flagging an XSS bug.
- Showing literal HTML markup in a tutorial or technical doc.
よくある質問
Q. Do I still need to encode if I use a templating engine?
A. Most modern engines (Svelte, React, Jinja, ERB) auto-escape by default. But once you reach for a "raw" or "unsafe" helper you take responsibility for encoding yourself.
Q. What is the difference between &#39; and &apos;?
A. Both encode an apostrophe. ' is technically XHTML/XML; some legacy HTML parsers do not recognise it, so ' is the safer choice for HTML output.
Q. Does encoding fix all XSS issues?
A. No. Context matters — JavaScript strings, URL attributes, and CSS each need their own escaping. Use a battle-tested sanitizer for HTML you want to render with markup intact.
Q. Why does decoding a non-encoded string return it unchanged?
A. There is nothing to decode. Decoding only swaps recognised entities back to characters; raw text passes through untouched.