HTML Entity Encoder & Decoder
Encode and decode HTML entities (&, <, >, ", numeric references). Useful for sanitizing user content or debugging escaped markup.
Last updated:
Paste text above to encode HTML entities (& < > " ') for safe display in markup, or paste encoded HTML to decode it back. Runs entirely in your browser.
What is HTML Encode/Decode?
HTML entity encoding replaces characters that have special meaning in HTML — like <, >, &, and quotes — with their entity equivalents (<, >, &, "). This lets you display code, angle brackets, or user-supplied text as literal characters instead of having the browser interpret them as tags. Decoding reverses the process, turning entities back into readable characters.
How to encode or decode HTML entities
- 1Choose Encode (text → entities) or Decode (entities → text).
- 2Paste your content into the input area.
- 3The tool converts the special characters instantly.
- 4Copy the result into your template, documentation, or debugging notes.
Use Cases
Display code snippets in HTML
Encode < and > so a code example shows literally instead of being parsed as tags by the browser.
Debug escaped markup
Decode a string full of < and & from a log or database to read the original HTML.
Prepare safe static content
Encode text before placing it into an HTML document to avoid accidental markup injection.
Code Examples
Raw text
<a href="x">Tom & Jerry</a>HTML-encoded
<a href="x">Tom & Jerry</a>Key Concepts
- Named vs numeric entities
- & is a named entity; & and & are decimal/hex numeric references for the same character. Numeric works for any code point.
- Context-sensitive escaping
- HTML text, attribute values, URLs, and JavaScript each require different escaping. Entity encoding covers HTML text/attributes, not JS or URL contexts.
- XSS
- Cross-site scripting happens when untrusted input is rendered as markup. Proper output encoding is a primary defense, but use a vetted library in production.
Tips & Best Practices
- ▸Encoding & < > " ' covers HTML text and attributes, but URLs and inline scripts need their own escaping.
- ▸For production user-generated content, rely on your templating engine's auto-escaping or DOMPurify — don't hand-roll it.
- ▸The ampersand must be encoded first (&) or you'll double-encode other entities.
- ▸Decoding untrusted HTML and inserting it into the DOM can reintroduce XSS — sanitize after decoding.
Frequently Asked Questions
Which characters get encoded?
By default: &, <, >, ", and '. Optionally, all non-ASCII characters can be encoded as numeric references (e.g. •) for maximum compatibility.
Is HTML encoding enough to prevent XSS?
For content inserted as text it is generally sufficient, but attribute values, URLs, and inline scripts have additional escaping rules. Use a well-tested templating library for user-generated content in production.
Related Tools
Base64
Encode and decode Base64 strings online. Supports UTF-8 text and URL-safe Base64. All processing runs locally in your browser.
Image → Base64
Convert images to Base64 data URLs online. Drop or select any image and copy the ready-to-paste data URI for CSS, HTML, or JSON.
JSON Formatter
Format, beautify, and validate JSON online. Free, fast, and 100% local — your data never leaves your browser.
JSON Validator
Validate JSON online with instant error location and structure statistics (depth, keys, node types). 100% local — your JSON never leaves the browser.
JSON → TypeScript
Convert JSON to TypeScript interfaces instantly. Generate strongly-typed TS types from any JSON sample.
JSON → Go
Convert JSON to Go structs online. Generates idiomatic Go structs with proper json tags and PascalCase field names.