๐Ÿ›ก๏ธ HTML Entity Encoder / Decoder

Escape HTML special characters to entities or decode entities to characters.

Raw HTML
Encoded HTML

How to Use This Tool

Select Encode mode to convert raw HTML characters to safe entities, or Decode to convert entities back to characters. The encode option for quotes is useful when the output will go inside an HTML attribute value.

1

Choose Encode to escape characters, or Decode to convert &, <, and similar entities back to characters.

2

Toggle "Encode quotes" on if the output will be placed inside an HTML attribute value.

3

Paste your HTML or encoded text into the input box and review the output.

4

Copy the result or click any entity in the reference grid to copy it to your clipboard.

HTML Encoding and XSS: Why Every Input Must Be Escaped

Cross-Site Scripting (XSS) is consistently in the OWASP Top 10 most critical web vulnerabilities, and the fix is almost always proper HTML encoding. When you take user input and insert it directly into an HTML page without escaping, an attacker can submit <script>document.cookie</script> and that string executes as JavaScript in every viewer's browser. Encoding it to &lt;script&gt;document.cookie&lt;/script&gt; makes the browser render it as visible text rather than executable code. The five characters you must always encode in HTML context are: < becomes &lt;, > becomes &gt;, & becomes &amp;, " becomes &quot;, and ' becomes &apos;. Inside attribute values, quotes are especially important because an unencoded quote can break out of the attribute and inject additional attributes or event handlers. The decode direction is useful when you receive escaped HTML from an API or CMS and need to read or process the actual content rather than the entity strings. The entity reference grid at the bottom of the tool covers the symbols you reach for most often: currency symbols, arrows, fractions, and math operators.

Common Use Cases

Sanitizing user inputEscape form submissions before inserting into HTML to prevent XSS attacks
Displaying code samplesEncode <pre> or <code> content so angle brackets render as text
Email template encodingEncode special characters in HTML email bodies for consistent rendering
CMS content processingDecode double-encoded entities from WordPress or Drupal before editing

Frequently Asked Questions

What are HTML entities?

HTML entities are text strings that represent characters not normally allowed in HTML. They start with & and end with ;. E.g. &amp; represents &, &lt; represents <.

Why encode HTML?

To prevent XSS (Cross-Site Scripting) attacks and display literal < > & characters without them being interpreted as HTML tags or syntax.

What is the difference between named and numeric entities?

Named: &amp;lt; (human-readable). Numeric decimal: &amp;#60;. Numeric hex: &amp;#x3C;. All three represent the same character.

Should I encode all characters?

At minimum, encode <, >, &, ", and ' in HTML contexts. In attribute values, also encode spaces and control characters.

Are HTML entities and URL encoding the same?

No. HTML entities use & notation for HTML content. URL encoding uses %XX notation for URLs. They serve different contexts.

Related Tools

{}
JSON Validator & Formatter

Validate and pretty-print JSON

 ๐Ÿ”
Base64 Encoder / Decoder

Encode or decode Base64 strings

 ๐Ÿ”
Regex Tester

Test regex patterns with explanations

 ๐ŸŽจ
Hex โ†” RGB Converter

Convert hex colors to RGB and back

 ๐Ÿ—ƒ๏ธ
SQL Formatter

Format and indent SQL queries

 ๐Ÿ”—
URL Encoder / Decoder

Encode or decode URL strings