Escape or unescape HTML entities — replace characters like <, >, &, " and ' with their HTML entity names or numeric codes. Supports named and decimal entities.
HTML entities are special codes to display reserved characters in HTML. For example < renders as < and & renders as &.
Escaping HTML prevents XSS attacks when displaying user-generated content.
In content: < becomes <, > becomes >, & becomes &. In attribute values: double quote becomes ", single quote becomes '. Proper escaping is the foundation of XSS prevention.
Characters that must be encoded: < and > to avoid being parsed as tags (< >); & to avoid being parsed as an entity start (&); quotes inside attribute values ("). Always HTML-entity-escape user-generated content before rendering it on the page to prevent XSS (Cross-Site Scripting) attacks. Modern frameworks (React, Vue) handle this escaping automatically.