// escape html entities to block xss attacks
Sanitize user input and escape HTML entities to prevent XSS attacks. Free browser-based tool for developers — no upload required.
Ready to sanitize
Paste dangerous input and click Sanitize — get 6 safe encodings instantlyPaste any untrusted string — user form data, URL params, API responses, or known XSS payloads.
Click "Sanitize All Contexts" to encode the input for 6 different placement contexts simultaneously.
Pick the correct context for your code (HTML, JS, URL, etc.) and copy the safe output directly.
Cross-Site Scripting (XSS) occurs when attackers inject malicious scripts into web pages. The fix: always escape user input based on where it will appear in your HTML — different contexts need different escaping rules.
Cross-Site Scripting (XSS) allows attackers to inject client-side scripts into web pages viewed by other users. It can steal session cookies, redirect users to phishing sites, deface pages, or perform actions on behalf of the victim without their knowledge.
HTML escapes for text nodes and innerHTML. Attribute escapes for HTML attribute values. JavaScript escapes for inline JS string literals. URL percent-encodes for query parameters. CSS strips unsafe characters. Strip+Encode removes all tags then HTML-encodes — the safest fallback.
Sanitization happens entirely in your browser via JavaScript. No data is sent to any server. You can also use the PHP API endpoint for server-side processing by posting to ?api=1.
Use the HTML Context output for any content inserted via innerHTML, document.write(), or server-rendered HTML. If you only need plain text, use "Strip Tags + Encode" for maximum safety.
Context-aware escaping prevents the majority of XSS vectors. However, you should also implement a strong Content Security Policy (CSP), avoid eval(), use textContent instead of innerHTML where possible, and validate input server-side.
React and Vue auto-escape HTML by default when using JSX or templates. However, if you use dangerouslySetInnerHTML in React or v-html in Vue, you must sanitize the content first — use the HTML Context output from this tool.
An XSS Input Sanitizer is a developer tool that escapes untrusted user input so it cannot be interpreted as executable code by a browser. Cross-Site Scripting (XSS) is one of the most common and dangerous web vulnerabilities — ranked in OWASP's top 10 for over a decade. The root cause is always the same: unsanitized user input rendered into a web page in a context that allows code execution.
This tool takes any raw string — a form field value, API response, URL parameter, or known XSS payload — and produces six context-correct encodings you can safely drop into your HTML, JavaScript, URLs, CSS, and HTML attributes.
💡 Looking for premium web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and developer tools — worth checking out.
Many developers make the mistake of applying a single encoding pass to user input regardless of where it ends up. This is dangerously wrong. A string safe inside a paragraph tag may be actively dangerous inside a JavaScript string literal or an HTML attribute. The correct approach — called output encoding — applies different transformations based on the injection context:
&, <, >, ", ' using their HTML entity equivalents.href, value, title, and event handlers can be attacked with unquoted or partially-quoted values.&, =, or ? cannot inject additional query parameters or hijack href values.expression() attacks in legacy IE or manipulate layout to create overlay phishing traps.strip_tags(), then HTML-encode the result. This is the most conservative option, suitable for any context where you need guaranteed plain text.Understanding what attackers actually submit helps developers appreciate why escaping is non-negotiable:
<script>alert(1)</script> — Classic script injection. HTML-escaping converts < to <, making the tag inert." onmouseover="alert(1) — Attribute breakout. Attribute escaping converts the leading " to ", keeping it inside the attribute value.javascript:alert(1) — Protocol injection in href. URL encoding converts this to javascript%3Aalert%281%29, which browsers don't execute as a protocol.<img src=x onerror=alert(1)> — Event handler injection. HTML escaping neutralizes the angle brackets; strip_tags removes the element entirely.expression(alert(1)) — CSS injection. The CSS sanitizer strips parentheses and non-alphabetic characters, leaving only safe values.These three terms are often confused, but they represent distinct defense layers:
Best practice is to apply all three: validate on input, sanitize if you accept partial HTML, and always output-encode before rendering.
React, Vue, Angular, and Svelte all auto-escape HTML by default in their template expressions. However, each provides an "escape hatch" that bypasses this protection:
dangerouslySetInnerHTMLv-html[innerHTML] binding@htmlAny time you use one of these, you are responsible for sanitizing the content yourself before passing it in. Use the HTML Context output from this tool, or a library like DOMPurify for rich HTML content.
Client-side sanitization (JavaScript) can be bypassed by an attacker who sends requests directly to your server without using a browser. Always sanitize and encode on the server side. This tool provides a PHP API endpoint (?api=1 via POST) that runs the same six-context escaping pipeline server-side using PHP's native htmlspecialchars(), rawurlencode(), and regex sanitization functions.
textContent over innerHTML when inserting plain text.HttpOnly flag on session cookies so JavaScript cannot access them even if XSS occurs.SameSite cookie attribute to limit CSRF risk that often accompanies XSS.