Encode reserved HTML characters for safe display or decode entity strings from CMS exports—instantly, with no server upload.
An HTML entity encoder converts characters with special meaning in HTML (&, <, >, quotes) into entity references like & and < so they render as text instead of markup—essential for XSS prevention.
HTML reserves certain characters for document structure. The ampersand (&) starts every entity; angle brackets (<, >) delimit tags; double and single quotes delimit attributes. When user-supplied or dynamic text is inserted into HTML without encoding, a string like <script>alert(1)</script> becomes executable markup—a cross-site scripting (XSS) vulnerability.
Entity encoding replaces each dangerous character with an escape sequence: & → &, < → <, > → >, " → ", ' → ' (or '). Browsers then display the literal characters instead of parsing them as tags. Named entities (©, ) and numeric entities (©, ©) extend this pattern to symbols and any Unicode code point.
Decoding reverses the process for maintenance, CMS exports, and debugging—turning <div> back into <div> for inspection. Encoding is the security-critical direction when outputting untrusted text into HTML templates, innerHTML-adjacent contexts, or email HTML.
Concise answers for common searches — definitions, steps, and comparisons.
In HTML text and attribute values, encode at minimum: ampersand (& → &), less-than (< → <), greater-than (> → >), double quote (" → "), and single quote (' → ' or ') in attributes delimited by single quotes. Encoding & first prevents double-expansion when other entities are present. This neutralizes <script> and event-handler injection when output is inserted into HTML—not into script, style, or URL contexts.
HTML entities (&, <, % not used) apply to HTML documents and email HTML so browsers do not interpret < and > as tags. URL percent-encoding (%26, %3C) applies to query strings, paths, and URI components per RFC 3986. Using < in a URL breaks parsing; using %3C in HTML text does not produce a visible < in the page body. Pick the encoder matching your output context.
Decimal numeric entities use &#N; where N is the Unicode code point (e.g. € for €). Hexadecimal form is &#xN; (e.g. € for €). Named entities like € are aliases for specific code points. Decoders map these to UTF-16/JavaScript strings; encoders in this tool emit decimal &#N; for characters without a predefined named mapping.
Encode mode maps a fixed set of reserved characters to named entities and falls back to decimal numeric entities (&#code;) for other non-ASCII code points. Decode mode replaces known named entities, then resolves &#decimal; and &#xhex; sequences via String.fromCharCode.
Formula
Encode: & → & · < → < · > → > · " → " · ' → ' · other code points > 127 → &#N;
Decode: replace named entities → parse &#(\d+); → parse &#x([0-9A-Fa-f]+);Select Encode to escape special characters for safe HTML output, or Decode to convert entity strings (e.g. <div>) back to plain text for editing or inspection.
Paste HTML snippets, template placeholders, CMS exports, or user comments. Enable Auto-convert to update the output field as you type, or press Ctrl+Enter to run once.
Click an example card (basic HTML, XSS sample, symbols) to load a demo. Use Common entities to insert frequently used characters without typing entity names.
Copy the output and paste into your template, test fixture, or documentation. For production sites, prefer framework auto-escaping (React JSX, template engines) in addition to manual encoding checks.
Input
<div class="card">Hello</div>Output
<div class="card">Hello</div>Tags are neutralized so the string displays as source code in HTML rather than rendering a div—standard when showing code samples or sanitizing user HTML.
Input
<script>alert("xss")</script>Output
<script>alert("xss")</script>Encoded output cannot execute as script when inserted into HTML text nodes. Pair encoding with Content-Security-Policy for defense in depth.
Input
© 2026 — Price: 10€Output
© 2026 — Price: 10€Decode mode restores human-readable text when you need to edit content that was stored entity-encoded in a database or export file.
Common real-world scenarios where this tool saves time.
Encode display names, post bodies, and bios before rendering in server templates or static HTML generators so injected tags cannot run in visitors' browsers.
Escape dynamic merge fields (names, promo codes) in HTML emails where template engines might not auto-escape every insertion point.
Show literal < and > in tutorials, API docs, and blog posts without the browser interpreting them as live HTML elements.
Decode entity-heavy exports from WordPress, Drupal, or legacy systems to inspect the underlying text before re-encoding for a migration.
Step-by-step chains that connect related tools for common tasks.
Developers often confuse HTML, URL, and JavaScript escaping—each targets a different parser.
| Context | Escape form | Example | Wrong tool |
|---|---|---|---|
| HTML text node | Entities | < → < | URL %3C |
| URL query value | Percent-encoding | & → %26 | & |
| JavaScript string | JS/JSON escape | " → \" | " in .js file |
| CSS content | CSS escape or Unicode | ' → \27 | ' in stylesheet |
| XML attribute | Entities (similar) | < → < | HTML-only rules in SVG/XML mixed docs |
Encode at the boundary where data enters each format—once per context, not all layers on the same string.
| Related tool | Use this tool when | Use related tool when |
|---|---|---|
| HTML Formatter | You need to escape or decode entity strings in plain text before or after formatting markup. | You have structured HTML to indent, minify, or validate—not just character-level entity transforms. |
| URL Encoder | Output is HTML or email body text requiring < and & style escapes. | You are building query strings, redirect URIs, or path segments needing %20 and %26 encoding. |
| String Escaper | Dangerous characters appear in HTML template output. | You need escapes for JSON, JavaScript, SQL, or regex string literals—not HTML display. |
Double-encoding turns & into &amp;. Decode once if unsure, then encode from plain text. In code, encode only at the output boundary, not on every save.
URLs need percent-encoding (%26, %3C), not & or <. Use the URL encoder for href and query parameters; use this tool for HTML document text.
Decode is for trusted maintenance. Never decode attacker-controlled entities and assign to innerHTML—that restores executable markup.
HTML entities do not protect JavaScript or CSS contexts. Use JSON.stringify for JS strings, CSS.escape for styles, and context-appropriate escaping per OWASP guidelines.
Likely cause: Malformed entities (missing semicolon) or double-encoded sequences
Fix: Ensure entities end with ;. If you see &lt;, decode once, then inspect whether a second encode pass is needed.
Likely cause: HTML escaping is the wrong context for JS source code
Fix: Use JSON.stringify or template-engine JS escaping. Reserve this tool for HTML body and attribute text destined for HTML parsers.
Likely cause: Numeric entity fallback for code points above 127
Fix: Expected behavior for generic encoders. UTF-8 HTML pages can often store Unicode directly when the charset is UTF-8; entities remain useful for reserved symbols and legacy ASCII-only pipelines.
Advertisement
An HTML entity is a character reference starting with & and ending with ; that represents a character—often one that is reserved in HTML syntax. Examples: & for &, < for <, " for ", and © or © for ©.
Unencoded <, >, &, and quotes let attackers inject tags and scripts (XSS). Encoding converts them to harmless text so browsers display the characters literally instead of parsing markup.
Named entities use readable names (<, ©). Numeric entities use decimal (<) or hexadecimal (<) code points—required for characters without a named alias. Both decode to the same Unicode character.
No. Encoding and decoding run locally in JavaScript in your browser. Your HTML, templates, and user data never leave your device.
Yes. Switch to Decode mode and paste entity strings such as <p>Hello& World</p>. The tool resolves named and numeric entities (&#…; and &#x…;) back to Unicode text.
At minimum: & → &, < → <, > → >, " → ", and often ' → ' in attribute values. Additional symbols (©, €, non-breaking space) use named or numeric entities when needed for display.
Yes—completely free with no signup, no usage limits, and no server upload. It runs entirely in your browser.
All HTML entity encoding and decoding runs locally in your browser using JavaScript string operations. No text is uploaded, logged, or stored on any server.
Named entity mappings follow common HTML5 references; numeric encode/decode uses standard decimal and hex entity patterns. Output matches typical manual escaping for documentation and quick checks—not a certified HTML sanitizer.
For production user-generated HTML, combine encoding with framework auto-escaping and a vetted sanitizer library. This tool is for developers and content authors, not legal or security certification.
More free tools for the same workflow.
Free HTML formatter—beautify minified markup with 2 or 4 space indent, minify for production. Runs locally in your browser; no upload or signup.
Free regex tester — highlight matches, capture groups, flags, and replace preview. JavaScript RegExp in your browser; patterns and text stay on your device, nothing uploaded.
Free URL encoder decoder for query values and full URLs—encodeURIComponent & encodeURI. Percent-encode or decode instantly in your browser; never uploaded.
Advertisement
Reviewed by EverydayTools Editorial Team on 2026-05-21.
Default: OWASP reserved chars only · Decode uses 1,511 HTML5 entities · Local processing, no upload
Drop file · Ctrl+Shift+C copy out · Ctrl+Shift+S swap
See how this tool aligns with common escaping expectations (same input, different presets).
<div>Hello & "World"</div>
<div>Hello & "World"</div>
<div>Hello & "World"</div>
1,511 named mappings from the WHATWG HTML spec (decode uses full table). Showing first 80 — search to find more.
| Char | Named | Decimal | Hex |
|---|---|---|---|
| | ⁡ | ⁡ | ⁡ |
| | ⁣ | ⁣ | ⁣ |
| | ⁢ | ⁢ | ⁢ |
| | ​ | ​ | ​ |
| | ⁠ | ⁠ | ⁠ |
| | ‎ | ‎ | ‎ |
| | ‏ | ‏ | ‏ |
| | ­ | ­ | ­ |
| | ‍ | ‍ | ‍ |
| | ‌ | ‌ | ‌ |
| ̑ | ̑ | ̑ | ̑ |
| ⃛ | ⃛ | ⃛ | ⃛ |
| ⃜ | ⃜ | ⃜ | ⃜ |
| \t | 	 | 	 | 	 |
| \n | 
 | | 
 |
|   |   |   | |
|   |   |   | |
|   |   |   | |
|   |   |   | |
|   |   |   | |
|   |   |   | |
|   |   |   | |
|   |   |   | |
| |   |   | |
|   |   |   | |
|    |   |   | |
| ‾ | ‾ | ‾ | ‾ |
| _ | _ | _ | _ |
| ‐ | ‐ | ‐ | ‐ |
| – | – | – | – |
| — | — | — | — |
| ― | ― | ― | ― |
| , | , | , | , |
| ; | ; | ; | ; |
| ⁏ | ⁏ | ⁏ | ⁏ |
| : | : | : | : |
| ⩴ | ⩴ | ⩴ | ⩴ |
| ! | ! | ! | ! |
| ¡ | ¡ | ¡ | ¡ |
| ? | ? | ? | ? |
| ¿ | ¿ | ¿ | ¿ |
| . | . | . | . |
| ‥ | ‥ | ‥ | ‥ |
| … | … | … | … |
| · | · | · | · |
| ' | ' | ' | ' |
| ‘ | ‘ | ‘ | ‘ |
| ’ | ’ | ’ | ’ |
| ‚ | ‚ | ‚ | ‚ |
| ‹ | ‹ | ‹ | ‹ |
| › | › | › | › |
| " | " | " | " |
| “ | “ | “ | “ |
| ” | ” | ” | ” |
| „ | „ | „ | „ |
| « | « | « | « |
| » | » | » | » |
| ( | ( | ( | ( |
| ) | ) | ) | ) |
| [ | [ | [ | [ |
| ] | ] | ] | ] |
| { | { | { | { |
| } | } | } | } |
| ⌈ | ⌈ | ⌈ | ⌈ |
| ⌉ | ⌉ | ⌉ | ⌉ |
| ⌊ | ⌊ | ⌊ | ⌊ |
| ⌋ | ⌋ | ⌋ | ⌋ |
| ⦅ | ⦅ | ⦅ | ⦅ |
| ⦆ | ⦆ | ⦆ | ⦆ |
| ⦋ | ⦋ | ⦋ | ⦋ |
| ⦌ | ⦌ | ⦌ | ⦌ |
| ⦍ | ⦍ | ⦍ | ⦍ |
| ⦎ | ⦎ | ⦎ | ⦎ |
| ⦏ | ⦏ | ⦏ | ⦏ |
| ⦐ | ⦐ | ⦐ | ⦐ |
| ⦑ | ⦑ | ⦑ | ⦑ |
| ⦒ | ⦒ | ⦒ | ⦒ |
| ⦓ | ⦓ | ⦓ | ⦓ |
| ⦔ | ⦔ | ⦔ | ⦔ |
| ⦕ | ⦕ | ⦕ | ⦕ |
Output
<div>Hello & "World"</div>