Encoders & Decoders
HTML Entity Encoder
Escape or unescape HTML entities (&, <, >, etc.).
Frequently Asked Questions & Guide
How to use this HTML Entity Encoder / Decoder
- Choose Encode (escape HTML special characters) or Decode (convert entities back to characters).
- For encoding, choose between named entities (
&,<) and hex entities (&,<). - Paste your text or HTML into the input box. Conversion is live.
- Copy the result with Copy, or swap input and output.
This tool escapes the five XML/HTML special characters — &, <, >, ", ' — using native browser string operations. The decoder reverses the encoding, recognizing both named entities (the official HTML5 named character reference list) and numeric entities (decimal and hex).
What are HTML Entities?
HTML entities are special sequences used to represent characters that would otherwise be interpreted as HTML markup. The most common examples are & for ampersand (&), < for less-than (<), and > for greater-than (>). Without entity encoding, an ampersand in your text could be misinterpreted as the start of an entity, and a less-than sign could be misinterpreted as the start of a tag.
Entity encoding is critical in three contexts:
- Displaying HTML code on a web page — if you want to show users what a
<div>tag looks like, you must encode it as<div>in your HTML source, otherwise the browser will render it as an actual div. - Preventing XSS attacks — when inserting untrusted user input into HTML, you must escape
<,>,&,", and'to prevent the user from injecting scripts. This is what templating engines like React JSX, Vue templates, and Django templates do automatically. - Embedding text in XML attributes — XML uses the same five special characters and the same entity encoding rules as HTML.
Named or numeric entities — which should I use?
Named entities (&) are more readable and are universally supported in HTML. Numeric entities — either decimal (&) or hex (&) — work in both HTML and XML, and can represent any Unicode character even if no named entity exists. For the five core XML/HTML special characters, named entities are the convention. For arbitrary Unicode characters that don't have named entities (e.g. emoji, rare CJK), use hex entities.
Does this prevent XSS?
Escaping HTML special characters is a critical part of XSS prevention, but it is not sufficient on its own. You must escape in the correct context: HTML body escaping is different from attribute escaping, which is different from JavaScript-string escaping, which is different from URL escaping. For production applications, use a templating engine that auto-escapes (like React, Vue, or Twig) rather than escaping manually.
Does it handle all HTML5 named entities?
The decoder recognizes the most common named entities (amp, lt, gt, quot, apos, nbsp, copy, reg, trade, and a few dozen others). The full HTML5 named entity list is over 2,000 entries long; for the long tail (mathematical symbols, rare currency signs, etc.) use the numeric form.
Is my data sent to a server?
No. Everything happens in your browser. Your input never leaves your device.