inyourbrowser.com

HTML entity encoder / decoder

HTML entity encoder and decoder is a browser-based tool for converting special characters like <, >, and & to their named HTML entities and back. Paste any text or markup and get the encoded output instantly.

Mode:
0 chars
0 chars
COMMON ENTITIES
&&amp;
<&lt;
>&gt;
"&quot;
'&#39;
©&copy;
®&reg;
&trade;
&euro;
·&nbsp;
&mdash;
&hellip;

How to encode or decode HTML entities

  1. Choose "Encode" to convert special characters to HTML entities, or "Decode" to do the reverse.
  2. Paste your HTML or text into the input area.
  3. The converted output appears instantly in the output area.
  4. Click "Copy" to copy the result to your clipboard.

Common uses

  • Encoding text that will be inserted into HTML to prevent XSS vulnerabilities, use hash generator to verify the integrity of the encoded content
  • Decoding HTML entities in scraped or stored HTML to get the readable text. The URL encoder is useful when the content also contains percent-encoded characters
  • Escaping special characters like ampersands and angle brackets for safe inclusion in HTML attributes

Technical specification

  • Algorithm or formula: Encoding replaces the five HTML-reserved characters (&, <, >, ", ') with their named entities via sequential replace calls. Decoding sets the entity-bearing text as innerHTML on a detached textarea element and reads back the parsed .value.
  • Browser API or library: Native String.prototype.replace for encoding; DOM textarea for decoding so the browser's full HTML5 entity table (over 2,000 named entities) is used.
  • Input limits: Bounded by browser memory.
  • Output: Encoded or decoded text, copyable to the clipboard.
  • Known limitations: Encoding uses named entities only for the five reserved characters; non-ASCII characters pass through unencoded. Use Unicode escapes or numeric entities manually if you need a fully ASCII payload.

Frequently asked questions

What characters are encoded?
The tool encodes the five characters that must be escaped in HTML: ampersand (&amp;), less-than (&lt;), greater-than (&gt;), double quote (&quot;), and single quote (&#x27;). It also optionally encodes all non-ASCII characters as numeric references.
Is my data sent to a server?
No. Encoding and decoding are pure JavaScript operations running in your browser.
What is the difference between named and numeric entities?
&amp; is a named entity; &#38; and &#x26; are numeric (decimal and hex) equivalents. All three represent the ampersand character. The tool outputs named entities where available.
Does this prevent XSS attacks?
HTML entity encoding prevents your text from being interpreted as HTML, which is the first step in preventing XSS. However, context matters, encoding rules differ for HTML attributes, JavaScript, CSS, and URL contexts.

Reviewed and tested May 26, 2026.