HTML entity encoder / decoder
Escape the five OWASP-mandated characters (or every non-ASCII). Decode named entities, decimal references, and hex references. Warns when input looks double-encoded.
Plain text
Mode:
When to encode: before inserting user-supplied text into HTML body content. The five characters are &, <, >, ", and '. For attribute values, use the same escaping; for <script>bodies, use a JSON-safe escape instead. Extended mode adds numeric references for every non-ASCII character — handy when the downstream system can't handle UTF-8 directly.