HTML Entity Encoder / Decoder

Encode text as HTML entities or decode entities back to plain text. 100% client-side.

Input
Output
Paste HTML or text above to encode or decode entities.

How to Use the HTML Entity Encoder

  1. Paste your text or HTML into the input area on the left.
  2. Choose a mode — Encode (essential characters), Decode, Encode All (every character), or Named Entities.
  3. View the result — the converted output appears instantly on the right.
  4. Copy or download — use the buttons above the output to copy or save the result.

What Are HTML Entities?

HTML entities are special text sequences used to represent characters that have special meaning in HTML or that cannot easily be typed directly. Every entity begins with an ampersand (&) and ends with a semicolon (;). The most important entities for web developers are the five characters that must be escaped to prevent browsers from misinterpreting them as HTML markup: < (less-than), > (greater-than), & (ampersand), " (double quote), and ' (single quote / apostrophe).

The Four Encoding Modes

  • Encode — replaces only the five essential characters (< > & " ') with their safe entity equivalents. This is the standard mode for escaping user input before inserting it into HTML.
  • Decode — converts HTML entities back to their original characters. Handles named entities like &nbsp;, decimal numeric references like &#169;, and hexadecimal numeric references like &#xA9;.
  • Encode All — converts every character to its numeric entity (&#NNN;). The output is much longer but is safe in any HTML context. This is sometimes used to obfuscate email addresses from spam crawlers.
  • Named Entities — like Encode but also replaces additional characters with their named HTML entities where available (e.g., &copy; for ©, &mdash; for —, &nbsp; for non-breaking space).

Why HTML Entity Encoding Matters for Security

Failing to encode HTML entities is one of the most common causes of cross-site scripting (XSS) vulnerabilities. If a user submits text containing <script>alert('XSS')</script> and your application inserts it directly into an HTML page without encoding, the browser will execute that script. Proper HTML entity encoding neutralizes this attack by converting the angle brackets to &lt; and &gt;, which the browser renders as literal text rather than markup. Modern server-side frameworks and templating engines usually handle this automatically, but whenever you are setting innerHTML in JavaScript or constructing HTML strings manually, you must encode any user-supplied values yourself.

Common Named HTML Entities

  • &amp; — & (ampersand)
  • &lt; — < (less-than sign)
  • &gt; — > (greater-than sign)
  • &quot; — " (double quotation mark)
  • &apos; — ' (apostrophe)
  • &nbsp; — non-breaking space
  • &copy; — © (copyright sign)
  • &reg; — ® (registered sign)
  • &trade; — ™ (trademark sign)
  • &mdash; — — (em dash)
  • &ndash; — – (en dash)
  • &euro; — € (euro sign)

HTML Entities vs. URL Encoding

HTML entity encoding and URL encoding are different things that serve different purposes. HTML entity encoding makes text safe to display inside HTML documents. URL encoding (percent-encoding) makes text safe to use inside a URL. For example, a space in an HTML document can be represented as &nbsp; (non-breaking space entity) or simply left as a space (regular spaces are fine in HTML content). But a space in a URL must be encoded as %20. Use our URL Encoder for URL encoding tasks, and this tool for HTML entity encoding.

Frequently Asked Questions

HTML entities are special sequences that represent characters which have special meaning in HTML, or characters that cannot easily be typed. They start with an ampersand (&) and end with a semicolon (;). For example, &lt; represents the less-than sign (<) and &amp; represents the ampersand (&).
Named entities use a descriptive name, like &lt; for < or &copy; for the copyright symbol. Numeric entities use the character's Unicode code point in decimal (© for copyright) or hexadecimal (© for copyright). Named entities are more readable; numeric entities work for any Unicode character.
You need to encode HTML entities whenever you are inserting user-supplied text into an HTML document. Characters like <, >, and & must be encoded or the browser may interpret them as HTML markup, potentially causing layout issues or cross-site scripting (XSS) vulnerabilities.
Yes. This tool runs entirely in your browser. Your text is never sent to any server. The encoding and decoding is performed using JavaScript running locally on your device. No data is stored, logged, or transmitted.
Encode All mode converts every character in your text to its numeric HTML entity (&#NNN; format), not just the ones that need encoding. The output is much longer but is safe in any HTML context. It is useful for obfuscating email addresses from spam crawlers or encoding text that must survive processing by multiple systems.