all non-ASCII — paste html to start // client-only

// output appears here


              curl -sX POST 'https://api.whittly.dev/v1/html/encode' \
  -H 'Authorization: Bearer $WHITTLY_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"input":"<div class=\"hello\">World &amp; Co</div>"}'


              const res = await fetch('https://api.whittly.dev/v1/html/encode', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer ' + apiKey,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ input: "<div class=\"hello\">World &amp; Co</div>" }),
});
const data = await res.json();


              const { data } = await axios.post(
  'https://api.whittly.dev/v1/html/encode',
  { input: "<div class=\"hello\">World &amp; Co</div>" },
  { headers: { Authorization: 'Bearer ' + apiKey } }
);

// probulk encodingpro·files over 5 MBproupgrade →

// about this tool

HTML entities are escape sequences for characters that have special meaning in HTML (&, <, >, ", '). Encoding user-provided content before inserting it into HTML prevents Cross-Site Scripting (XSS) attacks where malicious scripts are injected into web pages.

// when to use

Escape user input before rendering it in HTML
Decode HTML entities in scraped web content
Prepare text content for safe inclusion in HTML attributes
Debug encoded content in HTML source code

// faq

Does encoding prevent XSS?

HTML entity encoding prevents XSS when output is placed in HTML text content and attributes. However, different contexts (JavaScript, CSS, URL) require different escaping strategies. This tool handles the HTML context.

What is the difference between & and &?

Both represent the & character. Named entities (&) are more readable; numeric entities (& decimal or & hex) work even when the named entity is not recognized.

// related tools

// about this tool

// when to use

// faq