Encoding & Decoding · 1 min read

HTML Entity Encoding in XSS and Phishing

HTML entities replace characters with named (&) or numeric (& or &) references. Browsers render them as normal characters, but source code scanners and WAFs may not. Attackers use this gap to smuggle XSS payloads and hide phishing content from automated detection.

Try it now

Encoder / Decoder

Runs in your browser, nothing leaves your device.

A classic XSS payload `<script>alert(1)</script>` can be rewritten using HTML entities: `&#60;script&#62;alert(1)&#60;/script&#62;`. If a server stores this without decoding and later renders it in a context where entities are interpreted, the script executes. Decimal, hex, and named entities can be mixed to evade pattern matching.

Phishing kits encode brand names and credential-harvesting form targets as HTML entities to avoid keyword-based detection. The page renders normally in a browser, but automated scanners searching for 'paypal' or 'password' in the source won't find plaintext matches.

Entity-encoded script tag

Input
&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;
Result
<script>

Security context

When reviewing page source for security issues, always decode HTML entities before analyzing the content. A page that looks clean in raw source might contain fully functional malicious scripts once entities are resolved.

Yes, if the filter checks raw source code without decoding entities first. A well-implemented WAF will decode entities before pattern matching, but many custom filters miss this step.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description