DevKits

HTML Entity Encoder & Decoder

Encode and decode HTML entities (&, <, >, ", numeric references). Useful for sanitizing user content or debugging escaped markup.

Last updated:

41 chars

Paste text above to encode HTML entities (& < > " ') for safe display in markup, or paste encoded HTML to decode it back. Runs entirely in your browser.

What is HTML Encode/Decode?

HTML entity encoding replaces characters that have special meaning in HTML — like <, >, &, and quotes — with their entity equivalents (&lt;, &gt;, &amp;, &quot;). This lets you display code, angle brackets, or user-supplied text as literal characters instead of having the browser interpret them as tags. Decoding reverses the process, turning entities back into readable characters.

How to encode or decode HTML entities

  1. 1Choose Encode (text → entities) or Decode (entities → text).
  2. 2Paste your content into the input area.
  3. 3The tool converts the special characters instantly.
  4. 4Copy the result into your template, documentation, or debugging notes.

Use Cases

Display code snippets in HTML

Encode < and > so a code example shows literally instead of being parsed as tags by the browser.

Debug escaped markup

Decode a string full of &lt; and &amp; from a log or database to read the original HTML.

Prepare safe static content

Encode text before placing it into an HTML document to avoid accidental markup injection.

Code Examples

Raw text

<a href="x">Tom & Jerry</a>

HTML-encoded

&lt;a href=&quot;x&quot;&gt;Tom &amp; Jerry&lt;/a&gt;

Key Concepts

Named vs numeric entities
&amp; is a named entity; &#38; and &#x26; are decimal/hex numeric references for the same character. Numeric works for any code point.
Context-sensitive escaping
HTML text, attribute values, URLs, and JavaScript each require different escaping. Entity encoding covers HTML text/attributes, not JS or URL contexts.
XSS
Cross-site scripting happens when untrusted input is rendered as markup. Proper output encoding is a primary defense, but use a vetted library in production.

Tips & Best Practices

  • Encoding & < > " ' covers HTML text and attributes, but URLs and inline scripts need their own escaping.
  • For production user-generated content, rely on your templating engine's auto-escaping or DOMPurify — don't hand-roll it.
  • The ampersand must be encoded first (&amp;) or you'll double-encode other entities.
  • Decoding untrusted HTML and inserting it into the DOM can reintroduce XSS — sanitize after decoding.

Frequently Asked Questions

Which characters get encoded?

By default: &, <, >, ", and '. Optionally, all non-ASCII characters can be encoded as numeric references (e.g. &#8226;) for maximum compatibility.

Is HTML encoding enough to prevent XSS?

For content inserted as text it is generally sufficient, but attribute values, URLs, and inline scripts have additional escaping rules. Use a well-tested templating library for user-generated content in production.

Related Tools