HTML Entity Encoder & Decoder

Escape special characters into HTML entities for safe inclusion in HTML source. Or decode entities back to characters. Live update as you type. Free.

Runs in your browser.

What are HTML entities?

HTML uses certain characters with special meaning β€” < starts a tag, > closes one, & begins an entity, " and ' delimit attribute values. To use those characters literally inside HTML content (rather than as syntax), you have to "escape" them: replace each special character with a named or numeric entity. The browser then displays the character but doesn't treat it as code.

The five core HTML entities everyone needs:

CharacterNamed entityNumeric entity
<&lt;&#60;
>&gt;&#62;
&&amp;&#38;
"&quot;&#34;
'&#39;&#39;

When you'll need this

Encode-all mode

Standard encoding only escapes the five HTML-unsafe characters. The "Encode ALL non-ASCII" option additionally encodes every character above ASCII (accents, emojis, CJK, etc.) as numeric entities. Useful for legacy systems that only support 7-bit ASCII text, or for ensuring an HTML file works without explicit character encoding declarations.

Security note: XSS

Properly escaping HTML entities is one of the foundational defences against cross-site scripting (XSS) attacks. Any user-supplied content that ends up inside HTML must be escaped β€” otherwise an attacker could inject <script> tags that execute in another user's browser. Always escape user input on output, not on input (escape when displaying, not when storing).

This tool is a manual encoder β€” for production code, use your framework's built-in escaping (React's JSX, Vue's mustache syntax, Django/Jinja autoescape, etc.) rather than doing it by hand.

Decoding

Use Decode mode to convert HTML entities back to plain characters. Useful when reading API responses, log files or database dumps that contain escaped HTML.

FAQs

Will this protect me from XSS?

Escaping is a layer of protection, but production apps should use framework auto-escaping, not manual tools.

What's the difference between named and numeric entities?

Same effect; named (&lt;) is more readable, numeric (&#60;) works for any Unicode codepoint without needing a name.

Is anything uploaded?

No. Runs in your browser.

Does decode work on numeric entities like &#x2764;?

Yes β€” both decimal (&#10084;) and hex (&#x2764;) numeric entities are supported.

Related encoder tools