HTML Entity Encoding in XSS and Phishing
HTML entities replace characters with named (&) or numeric (& or &) references. Browsers render them as normal characters, but source code scanners and WAFs may not. Attackers use this gap to smuggle XSS payloads and hide phishing content from automated detection.
Try it now
Encoder / Decoder
Runs in your browser, nothing leaves your device.
A classic XSS payload `<script>alert(1)</script>` can be rewritten using HTML entities: `<script>alert(1)</script>`. If a server stores this without decoding and later renders it in a context where entities are interpreted, the script executes. Decimal, hex, and named entities can be mixed to evade pattern matching.
Phishing kits encode brand names and credential-harvesting form targets as HTML entities to avoid keyword-based detection. The page renders normally in a browser, but automated scanners searching for 'paypal' or 'password' in the source won't find plaintext matches.
Examples
Entity-encoded script tag
<script>
<script>
Security context
When reviewing page source for security issues, always decode HTML entities before analyzing the content. A page that looks clean in raw source might contain fully functional malicious scripts once entities are resolved.
Frequently asked
Yes, if the filter checks raw source code without decoding entities first. A well-implemented WAF will decode entities before pattern matching, but many custom filters miss this step.
Related techniques
URL Encoding and Decoding
Decode percent-encoded URLs to reveal hidden paths, parameters, and payloads. Detect double-encoding attacks and URL-based injection attempts.
JavaScript Deobfuscation Techniques
How to deobfuscate JavaScript malware, phishing scripts, and browser exploits. Reverse eval packing, string rotation, array shuffling, and control flow flattening.
Detecting Phishing URLs: Indicators and Techniques
Analyze URLs for phishing indicators: typosquatting, homoglyph attacks, suspicious subdomains, URL shortener abuse, and credential harvesting parameters.