HTML Entity Encoder / Decoder
Encode special characters as HTML entities, or decode entities back to text.
Encode text for safe embedding in HTML
When user input ends up inside HTML, certain characters must be replaced with entities so they display as text rather than being interpreted as markup. This tool handles both directions: encoding plain text into HTML entities, and decoding entities back to readable text.
What gets encoded?
At minimum, you need to escape five characters:
| Character | Entity |
|---|---|
& | & |
< | < |
> | > |
" | " |
' | ' |
In “encode all” mode, the tool also emits numeric entities (&#N;) for every character outside ASCII. This is rarely necessary in modern UTF-8 pages but useful when targeting legacy email clients or older content management systems.
Decoding
Decoding accepts named entities, decimal numeric entities (A) and hex numeric entities (A). The decoder uses the browser’s HTML parser, so it handles everything the browser itself would handle.
Privacy
Encoding and decoding happen locally in your browser — no network round trip, no storage.
Frequently asked questions
- What are the five "named" HTML entities?
- &amp; (&), &lt; (<), &gt; (>), &quot; (") and &#39; ('). These are the minimum set you must escape when placing arbitrary text inside HTML.
- Do I need to escape every non-ASCII character?
- No. Modern HTML (UTF-8) can render any Unicode character directly. You only need to encode characters that have structural meaning in HTML (&, <, >, " and ') to prevent breaking markup or enabling XSS.
- Does this tool prevent XSS?
- Correct encoding is one layer of defense but not a full XSS solution. Always encode values at the point of output and use a framework or templating engine that escapes by default.