HTML 实体编码器 / 解码器
HTML 特殊字符编码和解码
Common HTML Entities
& = &
< = <
> = >
" = "
' = '
/ = /
` = `
= = =
最后更新:
关于此工具
HTML 实体编码器把 <、>、&、" 等在 HTML 中有特殊含义的字符转换为 <、>、&、" 等安全实体。所有显示在页面上的用户输入都必须经过实体编码,这是防止 XSS 的基础。
使用方法
- Pick Encode to convert raw characters into HTML entities, or Decode to do the reverse.
- Paste the text or HTML snippet into the input box.
- Read the encoded or decoded output on the right.
- Click Copy to grab the result for use in your template, email, or doc.
- Use the entity reference card at the bottom as a quick lookup for common characters.
常见用例
- Sanitising user-generated content before injecting it into a server-rendered page.
- Embedding code snippets that contain < and > inside a Markdown or HTML document.
- Preparing email HTML so apostrophes and ampersands render correctly across clients.
- Decoding scraped HTML where entities like &quot; were double-encoded.
- Verifying that an output escapes correctly before flagging an XSS bug.
- Showing literal HTML markup in a tutorial or technical doc.
常见问题
Q. Do I still need to encode if I use a templating engine?
A. Most modern engines (Svelte, React, Jinja, ERB) auto-escape by default. But once you reach for a "raw" or "unsafe" helper you take responsibility for encoding yourself.
Q. What is the difference between &#39; and &apos;?
A. Both encode an apostrophe. ' is technically XHTML/XML; some legacy HTML parsers do not recognise it, so ' is the safer choice for HTML output.
Q. Does encoding fix all XSS issues?
A. No. Context matters — JavaScript strings, URL attributes, and CSS each need their own escaping. Use a battle-tested sanitizer for HTML you want to render with markup intact.
Q. Why does decoding a non-encoded string return it unchanged?
A. There is nothing to decode. Decoding only swaps recognised entities back to characters; raw text passes through untouched.