← Back to tools

HTML Entity Encoder / Decoder

Encode special HTML characters into entities or decode entities back to text.

What is HTML Entity Encoder / Decoder?

HTML Entity Encoder / Decoder converts special characters to their HTML entity equivalents (e.g. < ↁE&lt;) and decodes them back. This prevents XSS (cross-site scripting) vulnerabilities when rendering user-supplied content in HTML.

How to use

  1. Paste your text into the input box.
  2. Click Encode to convert special HTML characters to entities.
  3. Click Decode to convert HTML entities back to characters.
  4. Copy the result with the Copy button.

Common HTML entities

  • &amp; ↁE&
  • &lt; ↁE<
  • &gt; ↁE>
  • &quot; ↁE"
  • &apos; ↁE'
  • &nbsp; ↁEnon-breaking space

FAQ

Why do I need to encode HTML entities?
Characters like <, >, and & have special meaning in HTML. If user input containing these characters is inserted into HTML without encoding, a browser may execute it as code — a cross-site scripting (XSS) attack.
Should I encode all characters?
Generally you only need to encode the five critical characters: &, <, >, ", and '. Over-encoding regular text can make it harder to read in source code.
What is the difference between named and numeric entities?
Named entities like &amp; use a descriptive name. Numeric entities like &#38; (decimal) or &#x26; (hex) use the Unicode code point. Both represent the same character.

Overview

Encode special characters into HTML entities and decode entities back to plain text. Essential for safely displaying code snippets, user input, and markup examples in web pages.

How to use

  1. Paste text containing special characters or HTML entities.
  2. Click Encode to convert characters like < > & into entities, or Decode for the reverse.
  3. Copy the converted result.

Examples

Notes

FAQ

Why encode HTML entities?
Characters like <, >, and & have special meaning in HTML. Encoding them makes browsers display them as text instead of interpreting them as markup.
Does this prevent XSS by itself?
Encoding output is one important layer. Combine it with proper templating, validation, and a Content Security Policy.
Is my text uploaded?
No. Encoding and decoding run entirely in your browser.

Embed this tool

Paste this iframe into any HTML page to embed HTML Entity Encoder / Decoder on your site:

Related Tools