HTML Entity Encoder/Decoder
Encoders & DecodersEncode special characters to HTML entities (&, <, ", ©) or decode entities back to their literal characters.. Free, private — all processing in your browser.
The HTML Entity Encoder Decoder converts between special characters and their HTML entity representations in both directions. HTML entities are text sequences like & (ampersand), < (less-than), " (double quote), © (copyright), or numeric forms like © and ©. They exist because some characters have special meaning in HTML (<, >, &) or are hard to type (€, •, ∞). Encoding text to entities makes it safe to embed in HTML; decoding back shows what the entities actually represent.
The tool handles all three entity forms: named entities (©, , → — about 250 are defined in HTML5), decimal numeric entities (©), and hex numeric entities (©). Encode mode converts any text to HTML-safe form by escaping special characters. Decode mode converts entities back to their literal characters. Selective modes let you encode only the essential characters (< > & \" ') for minimal escaping, or everything non-ASCII for maximum safety. Common use cases: preparing user input for display to prevent XSS, decoding emails or scraped HTML back to readable text, and generating HTML source with correct special-character handling.
HTML Entity Encoder/Decoder — key features
Two-way conversion
Encode text to entities or decode entities back to text in one tool.
Named and numeric forms
Handles ©, ©, and © — all three forms of the same character.
Encoding strategies
Minimal (just & < >), standard, or maximum (all non-ASCII) depending on your safety needs.
250+ named entities
Full HTML5 named entity list including Greek letters, arrows, and typographic marks.
XSS-safe encoding
Minimal mode matches the escaping strategies of React, Angular, and major templating engines.
Preview
See how the encoded text will render in a browser before using it.
Copy-ready output
One-click copy the encoded or decoded result for pasting into code or content.
Client-side only
Input text never leaves your browser — safe for sensitive content.
How to use the HTML Entity Encoder/Decoder
- 1
Pick direction
Encode text to entities, or decode entities back to text.
- 2
Paste your content
Drop the text or entity-laden content into the input.
- 3
Set encoding strategy
For encoding: choose minimal (essentials only), standard, or maximum (all non-ASCII).
- 4
Review the preview
See how the encoded text renders in a browser alongside the raw entity form.
- 5
Copy
One-click copy the result for pasting into your code or document.
Common use cases for the HTML Entity Encoder/Decoder
Web development
- →User input sanitization: Encode text from user input before embedding in HTML to prevent XSS attacks.
- →CMS content embedding: Convert special characters in CMS content to entities so they display literally rather than being parsed as markup.
- →Email HTML: Prepare content for HTML email templates where some email clients strip non-entity special characters.
Content processing
- →Decode scraped content: Convert HTML-encoded text from scraped pages back to readable form.
- →Email archive extraction: Turn entity-laden email archives into plain readable text.
- →Documentation cleanup: Decode raw HTML source pulled from exports to more readable form for editing.
Data interchange
- →XML vs HTML: Convert between HTML and XML-safe forms (some entities differ).
- →JSON embedding: Ensure special characters in JSON strings are entity-escaped where needed.
- →API payload cleaning: Strip or encode special characters in text fields before API submission.
HTML Entity Encoder/Decoder — examples
Essential escaping
Minimal encoding of HTML-dangerous characters.
<p>Hello & welcome</p>
<p>Hello & welcome</p>
Copyright symbol
Encoding a non-ASCII character.
© 2026 Tooleras
© 2026 Tooleras or numeric: © 2026 Tooleras
Decoding
Entities back to literal characters.
Tom & Jerry said "hi"
Tom & Jerry said "hi"
Mixed forms
Named and numeric entities handled together.
© by Don't © 2024
© by Don't © 2024 (three entity forms all decoded)
XSS prevention
Encoding user input safely for HTML.
<script>alert("XSS")</script><script>alert("XSS")</script> (safe to embed in HTML)
Technical details
HTML entities serve two purposes: encoding characters that have special meaning in HTML (so they display as text rather than being parsed as markup), and encoding characters that are hard to type or may not survive certain encoding transitions.
Essential HTML entities (must be escaped in certain contexts):
- & → & (ampersand starts every entity)
- < → < (starts HTML tag)
- > → > (ends HTML tag, less strict but recommended)
- \" → " (in attribute values with double quotes)
- ' → ' or ' (in attribute values with single quotes; ' not in HTML 4)
Named entities: HTML5 defines about 250 named entities for symbols, Greek letters, arrows, and typographic marks. Common ones:
- & (&), < (<), > (>), " (\"), ' (')
- © (©), ® (®), ™ (™)
- (non-breaking space, U+00A0)
- — (—), – (–)
- … (…)
- “ (\") ” (\") ‘ (\u2018) ’ (\u2019)
- → (→) ← (←) ↑ (↑) ↓ (↓)
- × (×), ÷ (÷)
Numeric entities: any Unicode codepoint can be written as &#N; (decimal) or &#xN; (hex). © and © both represent ©.
Encoding strategies:
- Minimal: escape only & < > (and \" in attributes). Produces the shortest output.
- Standard: also escape ' and other commonly problematic characters.
- Maximum: escape all non-ASCII to named or numeric entities for 7-bit-safe text.
Decoding strategy: regex replace for entities with a fast lookup table, plus numeric conversion for &#N; and &#xN; forms. Unknown named entities are left as-is (a forward-compatible strategy).
Security implication: encoding is critical for XSS prevention. Text from users must be encoded before inserted into HTML to prevent script injection. The correct context-aware encoding differs (HTML text vs attribute vs URL vs JavaScript), but for simple HTML embedding, entity encoding the essentials is sufficient.
Common problems and solutions
⚠Double encoding
Encoding already-encoded text produces &amp; from &. This is a common bug in frameworks that escape automatically. Be aware of whether your input is raw or already escaped.
⚠Ampersand forgotten
When manually escaping, people forget that & itself needs escaping to &. Every & in HTML must be encoded unless it’s already the start of a valid entity. Many XSS vulnerabilities start here.
⚠Context matters
HTML body, attribute values, URLs, and JavaScript contexts all require different escaping. Minimal HTML entity encoding is correct for HTML text; attribute values need quote handling; URLs need percent-encoding; JavaScript needs backslash-escaping.
⚠Named entity typos
© (missing semicolon) is ambiguous in modern HTML — strict XML parsing rejects it. Always include the semicolon for portable HTML.
⚠Unicode private use areas
Very obscure characters (private use or deprecated codepoints) may not have named entities and vary in display. Use numeric entities for guaranteed encoding, but test rendering.
⚠XML vs HTML5 entities
XML only knows 5 named entities (& < > " '). HTML5 knows 250+. Content intended for XML must use only the 5 or numeric entities.
⚠Security false confidence
Entity encoding is necessary but not sufficient for security. Context-aware escaping, Content Security Policy, and input validation are all still needed. Never rely on a single encoding pass to fully prevent XSS.
HTML Entity Encoder/Decoder — comparisons and alternatives
Compared to framework-provided escaping (React, Vue, Angular auto-escape content), this tool handles ad-hoc content outside a framework. Use frameworks for application code; use this tool for one-off content prep.
Compared to writing a custom encoder, this tool handles all 250+ named entities and edge cases you might miss. For automated pipelines, use a well-tested library; for interactive encoding, this tool is faster.
Compared to URL-encoding or base64-encoding tools, this one is specifically for HTML — the encoding strategies are different for different contexts. Use the right tool for the right context.
Frequently asked questions about the HTML Entity Encoder/Decoder
▶What is an HTML entity?
An HTML entity is a text sequence like &, <, © that represents a special character in HTML source. Entities are needed because some characters (like < and >) have structural meaning in HTML, and others (like © or ∞) are easier to type as entities than to insert directly.
▶When should I use HTML entities?
When you need to display a character literally that would otherwise be interpreted as HTML structure (showing literal < or >), or when you want to embed special characters in HTML source that might not survive encoding transitions. Modern UTF-8 HTML reduces the need for non-essential entities, but the essentials (& < > in body, " in attributes) are still critical for safety.
▶Do I need to encode ' apostrophe?
In HTML 4, no — ' was not valid. In HTML5 it is valid. In practice, ' is universally safe. You only need to encode ' in attribute values delimited by single quotes; in regular HTML body and double-quoted attributes, raw ' is fine.
▶What is the difference between numeric and named entities?
Named entities use a symbolic name (© for ©). Numeric entities use the Unicode codepoint (© decimal or © hex). Numeric works for any character; named works only for the ~250 defined in HTML5. Both produce the same visible character.
▶Is this tool safe for XSS prevention?
Using this tool to encode user-supplied content is a necessary safety step, but not sufficient alone. Use it as part of a defense-in-depth strategy: encode output, validate input, apply Content Security Policy, and use framework-provided context-aware escaping (like React’s automatic escaping).
▶How do I decode scraped HTML?
Paste the HTML-encoded text into the decoder. & becomes &, < becomes <, and so on. The decoder handles named entities, decimal entities, and hex entities automatically.
▶What happens to unknown entities?
The tool leaves unknown named entities as-is for forward compatibility. If a future HTML version adds a new entity that isn’t in the current dictionary, the literal text is preserved rather than mangled.
▶Is my input private?
Yes. All encoding and decoding happens in your browser. User input, email archives, or confidential HTML never leave your machine.
Additional resources
- HTML5 entity reference — MDN HTML entities reference with complete list of named entities.
- OWASP XSS Prevention — Security context for why HTML encoding matters for user input.
- W3C HTML5 named characters — Authoritative list of all HTML5 named character references.
- React escape semantics — Context for why frameworks escape by default and how to bypass when needed.
- XML entity reference — XML’s more limited entity set compared to HTML.
Related tools
All Encoders & DecodersBase64 Encoder/Decoder
Encode and decode Base64 strings, files, and images instantly
Character Map
Browse and copy any Unicode character including emoji, symbols, arrows, mathematical signs, and non-Latin scripts.
Hex to Text Converter
Convert hexadecimal byte sequences to readable ASCII or UTF-8 text with flexible input formatting.
HTML Formatter
Format, indent, and beautify HTML, XHTML, and HTML5 markup
HTML Minifier
Compress HTML by removing whitespace, comments, optional tags — 20-40% smaller
HTML to Markdown
Convert HTML to clean, readable Markdown preserving structure and formatting
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →