> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-3/obfuscation/trick-0207.md).

# Decode HTML Entities for Password

***

Found secrets like passwords or keys sometimes hidden in source code (e.g., JavaScript files) encoded as HTML entities. HTML entity encoding is the practice of replacing certain characters (like <, >, and &) with their corresponding HTML entities (like <, >, and &). This is often done to prevent the browser from interpreting these characters as the start of an HTML tag or for obfuscation.

To reveal the original string, simply decode the HTML entities. A common approach is to use a tool like Cyberchef. Input the encoded string into Cyberchef and apply the "HTML Entity Decode" operation. This converts characters represented as `&...;` back into their original form. This operation can also be part of a larger recipe in Cyberchef, combined with other operations like Base64 decoding or URL decoding depending on the specific encoding chain.

Alternatively, decoding can often be performed programmatically, for instance, using JavaScript within a browser environment. One method involves creating a temporary DOM element:

```javascript
function decodeHtml(html) {
    var txt = document.createElement("textarea");
    txt.innerHTML = html;
    return txt.value;
}
```

Another similar JavaScript implementation uses a different element type:

```javascript
function decodeHTML(str) {
    let element = document.createElement('div');
    element.innerHTML = str;
    return element.childNodes.length === 0 ? "" : element.childNodes[0].nodeValue;
}
```

A third JavaScript approach also utilizes a temporary element:

```javascript
function decodeHTMLEntities(text) {
  var textArea = document.createElement('textarea');
  textArea.innerHTML = text;
  return textArea.value;
}
```

Another modern JavaScript method leverages the `DOMParser` API:

```javascript
function htmlDecode(input) {
  const doc = new DOMParser().parseFromString(input, "text/html");
  return doc.documentElement.textContent;
}
```

These methods demonstrate different ways to interpret the HTML-encoded string within a browser's rendering engine to obtain the decoded text content.
