HTML Entity Encoder / Decoder

DEVELOPER HTML ENCODING WEB

About this tool

Encode text to HTML entities, or decode them back

HTML entity encoder and decoder — paste text to escape special characters (&, <, >, ", ') into HTML entities so they display safely, or decode entities back into plain text. Optional numeric encoding for all non-ASCII. Runs entirely in your browser.

RT-DEV-091 · Developer Tools

Input

Use named entities (&) where possible; otherwise numeric (&#NN;)

Output

How to Use the HTML Entity Tool

Pick a mode

Encode text to entities, or decode entities to text.

Paste your input

Type or paste into the input box.

Choose entity style

Named where possible, or numeric for everything.

Copy the output

Grab the converted text instantly.

Why HTML Needs Entities

HTML reserves a handful of characters for its own syntax, and the moment your text contains one of them, the browser faces an ambiguity: is that less-than sign the start of a tag, or just a mathematical symbol you wanted to display? HTML entities resolve that ambiguity by giving you safe codes that stand in for the literal characters. This tool converts text to those entities and back again: encode mode escapes special characters so they display as written, and decode mode turns entity codes back into readable text.

Five characters do the heavy lifting. The ampersand (&) must be escaped because it begins every entity; the angle brackets (< and >) because they delimit tags; and the quotes (" and \') because they delimit attribute values. Escape those correctly and arbitrary text can sit safely inside an HTML page without breaking the markup or, more importantly, without being executed. That last point is the security one: encoding output is a cornerstone of defending against cross-site scripting, the class of attack where malicious markup smuggled into a page runs in a victim’s browser. Whenever you render untrusted input — a comment, a form field, data from an API — entity-encoding it for the HTML context is what stops a string like a script tag from becoming an actual script.

The tool offers two encoding styles. Named entities, such as & and ©, are human-readable but limited to a fixed vocabulary. Numeric entities use the character’s code point, in decimal (&) or hexadecimal (&), and can represent absolutely any character, which makes the numeric option the most portable — switch it on and every non-ASCII character, including emoji and accented letters, becomes a universal &#...; code. Decoding handles all three forms automatically. One honest caveat worth stating: HTML-context entity encoding is essential but not, by itself, a complete defence. The right encoding depends on where data lands — HTML body, attribute, JavaScript, URL or CSS each demand a different treatment — so a production application should lean on a framework’s context-aware escaping and a content security policy as well. For escaping snippets, displaying code, cleaning up pasted content or decoding an entity-laden string, this tool does the job entirely in your browser, so nothing you paste ever leaves your device.

Encoding output is the cornerstone of XSS defence — but the right encoding depends on context, so pair it with framework escaping and CSP.

10 Facts About HTML Entities

Five characters must be escaped in HTML: & < > " '.

Entities prevent text from being read as markup.

& displays a literal ampersand.

Escaping output is a core defence against XSS.

Named entities are easier to read; numeric are universal.

Hex entities use &#x...;.

  is a non-breaking space.

Always escape user input before rendering it.

This tool runs in your browser — nothing is uploaded.

Frequently Asked Questions

HTML entities are special codes that represent characters which would otherwise be interpreted as markup or cannot be typed directly. For example, the less-than sign becomes < and the ampersand becomes &. They let you display those characters as literal text rather than having the browser treat them as part of the HTML.
The five core characters are the ampersand (&), less-than (<), greater-than (>), double quote (") and single quote ('). The ampersand and angle brackets are essential because they start markup and entities; the quotes matter inside attribute values. This tool always escapes those five in named mode.
Whenever you place untrusted or arbitrary text into an HTML page — user comments, form input, data from an API. Encoding it prevents the text from being parsed as markup, which is the foundation of preventing cross-site scripting (XSS). It is also handy when you want to display code examples that contain HTML on a page.
Named entities use readable words (&, ©,  ) and are easy to recognise, but only a fixed set of names exists. Numeric entities use the character’s code point (& or hex &) and can represent any character at all. This tool offers a numeric mode that encodes every non-ASCII character, which is the most portable option.
Decoding reverses the process: it converts entities back into the characters they represent, handling named entities like & and <, decimal numeric entities like ©, and hexadecimal entities like ❤. Paste entity-laden text, switch to decode mode, and you get the original readable text back.
Context-appropriate output encoding is a central defence, but it is not a complete XSS solution on its own. The correct encoding depends on where the data is placed — HTML body, attribute, JavaScript, URL or CSS each need different handling. This tool covers HTML-context entity encoding; a full application should use a framework’s context-aware escaping and a content security policy too.
In numeric mode, yes — any character above the basic ASCII range is converted to a numeric entity, so emoji, accented letters and symbols all become portable &#...; codes. In named mode it only escapes the five core HTML characters and leaves the rest as-is, which is fine for UTF-8 pages.
No.   is a non-breaking space: it looks like a space but prevents a line break at that point and is not collapsed with adjacent whitespace. The decoder recognises it and converts it back to a space, but be aware it behaves differently from an ordinary space in layout.
No. All encoding and decoding happens in JavaScript in your browser. Nothing you paste is transmitted, logged or stored, so the tool is safe to use with private code, content or data.
Completely free, with no account or limit. It works offline once the page has loaded and collects no data.

HTML Entity Encoder / Decoder