HTML & URL Encoder
Encode and decode HTML entities and URL components, with a quick reference table
Encode and decode HTML entities and URL components, with a quick reference table
<script>alert("hi & bye")</script>| Char | Encoded | Note |
|---|---|---|
| & | & | Always escape — terminates entity parsing |
| < | < | Opens a tag |
| > | > | Closes a tag |
| " | " | Closes attribute values |
| ' | ' | Closes single-quoted attributes |
| ␣ | | Non-breaking space |
| © | © | Copyright |
| ® | ® | Registered |
| — | — | Em dash |
| → | → | Right arrow |
They look similar — both replace special characters with safe stand-ins — but they live in completely different layers of the stack and mixing them up is a classic source of bugs. HTML entitiesexist so that text written into a web page can't be confused with markup. < renders as a literal < instead of opening a tag. URL encoding (also called percent encoding) exists so that arbitrary bytes can survive the journey through a URL, which is restricted to ASCII and reserves characters like ?, &, and = for syntax.
encodeURI is for whole URLs — it leaves the syntax characters alone so that https://x.com/?a=1&b=2 stays parseable. encodeURIComponentis for individual query values — it escapes everything that isn't a letter, digit, or one of -_.!~*'(). When in doubt, reach for encodeURIComponent: it's the safer default for any value being interpolated into a URL.
The minimum viable HTML escape covers &, <, >, ", and '. Forgetting the quote characters is fine for element content but fatal inside attributes — <a title="{{value}}"> with an unescaped quote in value closes the attribute and lets the next characters become new attributes (or worse, onclick). This tool encodes both quote variants by default.