HTML Entity Encoder & Decoder
Escape special characters into HTML entities for safe inclusion in HTML source. Or decode entities back to characters. Live update as you type. Free.
What are HTML entities?
HTML uses certain characters with special meaning β < starts a tag, > closes one, & begins an entity, " and ' delimit attribute values. To use those characters literally inside HTML content (rather than as syntax), you have to "escape" them: replace each special character with a named or numeric entity. The browser then displays the character but doesn't treat it as code.
The five core HTML entities everyone needs:
| Character | Named entity | Numeric entity |
|---|---|---|
| < | < | < |
| > | > | > |
| & | & | & |
| " | " | " |
| ' | ' | ' |
When you'll need this
- Pasting code samples into blog posts β every
<in your code becomes part of the HTML unless escaped. - Email templates with literal & in URLs or text.
- JSON-LD structured data where strings contain HTML metacharacters.
- User-submitted comments and reviews β escaping prevents stored XSS attacks.
- RSS / Atom feed bodies that include HTML content.
- Markdown documentation showing HTML syntax examples.
- API responses that return HTML or HTML-fragment strings.
Encode-all mode
Standard encoding only escapes the five HTML-unsafe characters. The "Encode ALL non-ASCII" option additionally encodes every character above ASCII (accents, emojis, CJK, etc.) as numeric entities. Useful for legacy systems that only support 7-bit ASCII text, or for ensuring an HTML file works without explicit character encoding declarations.
Security note: XSS
Properly escaping HTML entities is one of the foundational defences against cross-site scripting (XSS) attacks. Any user-supplied content that ends up inside HTML must be escaped β otherwise an attacker could inject <script> tags that execute in another user's browser. Always escape user input on output, not on input (escape when displaying, not when storing).
This tool is a manual encoder β for production code, use your framework's built-in escaping (React's JSX, Vue's mustache syntax, Django/Jinja autoescape, etc.) rather than doing it by hand.
Decoding
Use Decode mode to convert HTML entities back to plain characters. Useful when reading API responses, log files or database dumps that contain escaped HTML.
FAQs
Will this protect me from XSS?
Escaping is a layer of protection, but production apps should use framework auto-escaping, not manual tools.
What's the difference between named and numeric entities?
Same effect; named (<) is more readable, numeric (<) works for any Unicode codepoint without needing a name.
Is anything uploaded?
No. Runs in your browser.
Does decode work on numeric entities like ❤?
Yes β both decimal (❤) and hex (❤) numeric entities are supported.