HTML Entity Encoder / Decoder
Convert special characters to HTML entities (& → &) and decode them back — for safe, valid HTML.
Last updated: March 25, 2026
Find this tool useful? Support the project to keep it free!
Buy me a coffeeWhat is HTML Entity Encoder / Decoder?
HTML entity encoding converts characters that have special meaning in HTML into safe escape sequences that browsers display as literal characters without parsing them as markup. The most critical characters are < (less-than, starts HTML tags), > (greater-than, ends tags), & (ampersand, starts entities), and " (double-quote, delimits attribute values). Without encoding, these characters break HTML structure and can create serious security vulnerabilities.
HTML entity encoding is the primary defense against Cross-Site Scripting (XSS) — the most common web security vulnerability. When user-submitted content is displayed in a web page, any < in the input could be the start of a <script> tag injected by an attacker. Encoding it to < ensures the browser displays a literal < character rather than treating it as markup. This tool encodes any text to safe HTML entities and also decodes entities back to readable text.
How to Use HTML Entity Encoder / Decoder
Paste the text you want to encode (or HTML with entities you want to decode) into the input
Click "Encode" to convert special characters to HTML entities
Or click "Decode" to convert HTML entities back to their original characters
Choose encoding mode: Named (&, <) or Numeric (&, <) — named is more readable
Copy the encoded/decoded result with the Copy button
Common Use Cases
- Safely displaying user-submitted text content in HTML pages (XSS prevention)
- Encoding code snippets containing < and > for display in HTML articles or documentation
- Preparing text content containing & and " for safe injection into HTML attributes
- Decoding HTML-encoded content from third-party APIs or CMS systems
- Encoding text before embedding in HTML email templates
- Preparing SQL or JSON data containing special characters for output in HTML
- Fixing HTML pages with "broken" & characters that should be &
- Encoding mathematical symbols (≤ ≥ ≠ ÷ × √) for cross-browser HTML display
Example Input and Output
Encoding user-submitted content that contains HTML special characters:
<script>alert('XSS')</script>
Tom & Jerry's "Favorite" Café
Price: $10 < $20 & discount > 5%<script>alert('XSS')</script>
Tom & Jerry's "Favorite" Café
Price: $10 < $20 & discount > 5%Privacy First
All encoding and decoding runs locally in your browser. Your text — which may contain sensitive content, code, or user data — is never transmitted to our servers.
Security Context Matters
HTML entity encoding is sufficient when inserting content into HTML text context (<p>content here</p>). For other contexts, different encoding is needed: URL encoding for URL parameters, JavaScript encoding for JS strings, and CSS encoding for style values. Using HTML encoding in a JavaScript context (e.g., inside a <script> tag) does not prevent XSS.
Framework Auto-Escaping
If you're building with React, Vue, or Angular — template variables are automatically encoded. Only decode or bypass encoding when you intentionally need to render HTML markup from trusted, sanitized sources. Never pass raw user input to dangerouslySetInnerHTML or innerHTML without running it through a sanitizer like DOMPurify first.
Frequently Asked Questions
Why is HTML entity encoding important for security?
What is the difference between named and numeric HTML entities?
When should I use (non-breaking space)?
Do I need to encode all characters, or just the dangerous ones?
Does React / Vue / Angular automatically handle HTML encoding?
What is the difference between HTML encoding and URL encoding?
How This Tool Works
For encoding, each character in the input string is checked against a character-to-entity map. Characters with special meaning in HTML (< > & " ' and optionally all non-ASCII characters) are replaced with their named or numeric entity equivalent. For decoding, an off-screen div element is created in the browser's hidden DOM, the HTML entity string is set as its innerHTML, and then .textContent is read — the browser itself performs the entity decoding, ensuring 100% accuracy for all named, decimal numeric, and hex numeric entities.
Technical Stack