HTML Entity Encoder / Decoder

Encode special characters into HTML entities or decode them back.

Common HTML entities reference

&&
<&lt;
>&gt;
"&quot;
'&#39;
©&copy;
®&reg;
&trade;
&mdash;
&euro;
£&pound;
&hellip;

About HTML Entities

HTML entities are special codes used to represent characters that have reserved meaning in HTML, such as <, >, &, and ". Encoding these characters prevents them from being interpreted as HTML markup, which is critical for XSS prevention and correct rendering across all browsers and character sets.

Encoding vs decoding

Encoding converts raw characters like < into their entity equivalents like &lt;, making it safe to embed user-supplied text inside HTML. Decoding does the reverse — it converts entity codes back into readable characters, which is useful when extracting visible text from HTML source.

When to encode HTML

  • User-generated content — always encode before inserting untrusted text into a web page to prevent Cross-Site Scripting (XSS) attacks.
  • Email templates — encode special characters in HTML email bodies to ensure they render consistently.
  • API responses — encode HTML in JSON fields that will be injected into a page's markup.
  • CMS content — some content management systems store text as HTML entities; use the decoder to read the raw text.

About the HTML Entities Encoder

HTML entities are special character sequences that represent characters with reserved meaning in HTML, characters not present on a typical keyboard, or invisible characters. The four reserved characters — less-than (<), greater-than (>), ampersand (&), and double quote (") — must be encoded when they appear in HTML content; otherwise the browser interprets them as markup and the page breaks or worse, becomes vulnerable to script injection.

This tool encodes plain text into safe HTML by replacing reserved characters with their entity equivalents (&lt;, &gt;, &amp;, &quot;) and decodes entity-encoded text back to plain text. It supports named entities (&amp;) and numeric entities (&#38; and &#x26;), and handles the full Unicode range.

Why encoding matters for security

Cross-site scripting (XSS) is one of the most common web application vulnerabilities. It happens when user-supplied text is inserted directly into HTML without encoding — a malicious user can submit text containing <script> tags or event handlers that the browser then executes. Correctly encoding user input before rendering it as HTML eliminates the attack surface. This is why every modern templating engine (React JSX, Vue, Handlebars, Liquid, Jinja, ERB) HTML-encodes interpolated values by default; manual encoding is needed only when you bypass those defaults or work outside a template engine.

Named, decimal, and hexadecimal entities

HTML offers three ways to encode a character: named (&copy;), decimal (&#169;), and hexadecimal (&#xA9;). Named entities are easier to read but only cover a fixed set defined by the HTML5 spec. Numeric entities work for any Unicode code point. This tool produces named entities for the reserved characters and common symbols (because they are more readable) and falls back to numeric entities for everything else.

How to use the HTML Entities Encoder

  1. Paste the plain text

    Drop the text containing characters you need to make HTML-safe into the input box.

  2. Read the encoded output

    The output box shows the same text with reserved and non-ASCII characters replaced by their entity equivalents.

  3. Or decode the other way

    Switch to decode mode and paste entity-encoded text to recover the original characters.

  4. Copy and use

    Paste the result directly into an HTML file, CMS field, or anywhere else that needs safe HTML.

Worked examples

Example 1

Input: <script>alert("xss")</script>

Result: &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;

The classic XSS payload, neutralised by encoding the four reserved characters.

Example 2

Input: © 2026 ToolBox — résumé

Result: &copy; 2026 ToolBox &mdash; r&eacute;sum&eacute;

Symbols and accented letters use their named entities for readability.

Real-world use cases

  • Safely displaying user-submitted content (comments, forum posts, support tickets) on a web page.
  • Embedding code snippets that contain HTML in a blog post without breaking the layout.
  • Cleaning HTML pasted from a rich text editor before storing in a database.
  • Decoding entity-heavy HTML scraped from an old website into plain text for further processing.
  • Including non-ASCII characters in an HTML email that may pass through systems with limited character set support.

Tips & common mistakes

  • When inserting text into HTML attribute values, also encode the apostrophe (&#39;) — it is not part of the reserved four but is required for safety inside single-quoted attributes.
  • If your output platform handles encoding automatically (React, Vue, modern CMS), do not double-encode by running text through this tool first — you will see literal &amp;lt; in the final page.
  • Numeric entities (&#169;) work in every browser; very obscure named entities can fail in older email clients. When in doubt, use numeric.

Frequently asked questions

Why are only four characters strictly reserved?

Because only those four (<, >, &, ") can change how a browser parses surrounding HTML. Everything else is technically safe; we encode other characters mainly for legacy compatibility with non-UTF-8 systems.

Should I use this in modern web frameworks?

Usually not — React, Vue, Svelte, and other modern frameworks HTML-encode interpolated values automatically. Use this tool when generating HTML by string concatenation or when working outside a framework.

Does the tool decode hexadecimal entities?

Yes. Both numeric forms (&#169; decimal and &#xA9; hexadecimal) are decoded correctly.

What about non-Latin scripts?

They are encoded as numeric entities (for example, &#26085; for the Japanese character 日). For UTF-8 pages this encoding is optional but always safe.

Related tools

URL EncoderBase64 EncoderMarkdown to HTML

Last updated: June 2026 · All processing happens locally in your browser.