What characters are encoded?

The tool encodes the five characters that must be escaped in HTML: ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote ('). It also optionally encodes all non-ASCII characters as numeric references.

Is my data sent to a server?

No. Encoding and decoding are pure JavaScript operations running in your browser.

What is the difference between named and numeric entities?

& is a named entity; & and & are numeric (decimal and hex) equivalents. All three represent the ampersand character. The tool outputs named entities where available.

Does this prevent XSS attacks?

HTML entity encoding prevents your text from being interpreted as HTML, which is the first step in preventing XSS. However, context matters, encoding rules differ for HTML attributes, JavaScript, CSS, and URL contexts.

HTML entity encoder / decoder

HTML entity encoder and decoder is a browser-based tool for converting special characters like <, >, and & to their named HTML entities and back. Paste any text or markup and get the encoded output instantly.

Mode:

Plain text / HTML0 chars

Encoded HTML

0 chars

COMMON ENTITIES

©©

®®

™™

€€

——

……

Dedicated pages

Direct links for encode and decode.

HTML encode

Encode special characters to HTML entities instantly. Convert <, >, &, " and more to their HTML equivalents. Free, in-browser.

HTML decode

Decode HTML entities back to plain text instantly. Convert &, <, >, " and numeric entities to their original characters. Free, in-browser.

HTML escape

Escape HTML special characters to safely display code and user content in web pages. Free, in-browser.

How to encode or decode HTML entities

Choose "Encode" to convert special characters to HTML entities, or "Decode" to do the reverse.
Paste your HTML or text into the input area.
The converted output appears instantly in the output area.
Click "Copy" to copy the result to your clipboard.

Common uses

Encoding text that will be inserted into HTML to prevent XSS vulnerabilities, use hash generator to verify the integrity of the encoded content
Decoding HTML entities in scraped or stored HTML to get the readable text. The URL encoder is useful when the content also contains percent-encoded characters
Escaping special characters like ampersands and angle brackets for safe inclusion in HTML attributes

Technical specification

Algorithm or formula: Encoding replaces the five HTML-reserved characters (&, <, >, ", ') with their named entities via sequential replace calls. Decoding sets the entity-bearing text as innerHTML on a detached textarea element and reads back the parsed .value.
Browser API or library: Native String.prototype.replace for encoding; DOM textarea for decoding so the browser's full HTML5 entity table (over 2,000 named entities) is used.
Input limits: Bounded by browser memory.
Output: Encoded or decoded text, copyable to the clipboard.
Known limitations: Encoding uses named entities only for the five reserved characters; non-ASCII characters pass through unencoded. Use Unicode escapes or numeric entities manually if you need a fully ASCII payload.

Frequently asked questions

What characters are encoded?: The tool encodes the five characters that must be escaped in HTML: ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote ('). It also optionally encodes all non-ASCII characters as numeric references.
Is my data sent to a server?: No. Encoding and decoding are pure JavaScript operations running in your browser.
What is the difference between named and numeric entities?: & is a named entity; & and & are numeric (decimal and hex) equivalents. All three represent the ampersand character. The tool outputs named entities where available.
Does this prevent XSS attacks?: HTML entity encoding prevents your text from being interpreted as HTML, which is the first step in preventing XSS. However, context matters, encoding rules differ for HTML attributes, JavaScript, CSS, and URL contexts.

Reviewed and tested May 25, 2026.