html-entities

Fast HTML entity encoding and decoding library. Encodes special HTML characters (<, >, &, ", ') and Unicode characters to HTML entities, and decodes entities back to characters. Supports named HTML5 entities (& amp; &nbsp; &copy;), numeric decimal, and hexadecimal entities. Used for XSS prevention, HTML content processing, and email HTML generation.

Evaluated Mar 06, 2026 (0d ago) v2.x
Homepage ↗ Repo ↗ Developer Tools html entities encode decode escape xss unicode
&#9881; Agent Friendliness
66
/ 100
Can an agent use this?
&#128274; Security
98
/ 100
Is it safe for agents?
&#9889; Reliability
91
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
75
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
100
Auth Strength
100
Scope Granularity
100
Dep. Hygiene
90
Secret Handling
100

MIT licensed. Encoding prevents XSS when used correctly. Note: encoding alone is not sufficient — context-aware escaping required (HTML content vs attributes vs JS context).

⚡ Reliability

Uptime/SLA
100
Version Stability
88
Breaking Changes
85
Error Recovery
90
AF Security Reliability

Best When

You need to encode/decode HTML entities in a Node.js string processing pipeline without a full templating engine or sanitization library.

Avoid When

You need XSS protection via sanitization (removing tags) — use sanitize-html or DOMPurify instead of just encoding.

Use Cases

  • Encode user-generated content before inserting into HTML to prevent XSS injection
  • Decode HTML entities from scraped or API-returned HTML content for clean text extraction
  • Process HTML content in agent document pipelines where entities must be normalized
  • Generate safe HTML for email templates by encoding all special characters
  • Normalize text content from web scraping that contains mixed HTML entities and unicode

Not For

  • Full HTML sanitization — html-entities encodes/decodes only; use sanitize-html or DOMPurify for removing dangerous HTML tags and attributes
  • Server-side template escaping — most templating engines (Handlebars, Pug) auto-escape HTML; html-entities is for cases without template engine
  • DOM manipulation — in browsers, use element.textContent to safely set text (browser handles encoding); html-entities is for string-level processing

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Local library — no authentication required. MIT licensed.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

MIT licensed. Zero cost.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Encoding mode matters: encode(str, { mode: 'nonAsciiPrintable' }) encodes only non-ASCII; 'nonAscii' encodes ALL non-ASCII including Unicode — choose based on use case
  • Decoding is not always the inverse of encoding — some characters have multiple entity representations; decode() handles all valid entities
  • html-entities encodes for HTML CONTENT, not for HTML attributes — attribute values may need different encoding (especially quotes inside attributes)
  • Does NOT strip HTML tags — only encodes/decodes entities; use DOMPurify or sanitize-html for tag removal/sanitization
  • Double-encoding risk: encoding already-encoded content (&amp; → &amp;amp;) — check input state before encoding
  • Level 2 encoding (encode all non-ASCII) is needed for email HTML to ensure compatibility with all email clients

Alternatives

sanitize-html-api he-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for html-entities.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered