&

HTML Entity Encoder / Decoder

Encode special characters to HTML entities and decode them back. Supports named entities, numeric, and hex formats.

Plain Text Input
Encoded Output
Common Entities ReferenceClick to copy code

About HTML Entity Encoder & Decoder

HTML entities are special character sequences that represent characters which would otherwise be interpreted as HTML markup or which cannot be typed directly. For example, < must be written as &lt; inside HTML content to prevent the browser from treating it as a tag opener. This tool converts any text containing &, <, >, quotes, and extended Unicode characters into their entity equivalents — supporting named (&copy;), decimal (&#169;), and hexadecimal (&#xA9;) formats.

Decoding works by using the browser's own HTML parser — the encoded string is injected into a temporary element and the resulting text content is read back, so even complex or nested entities are resolved correctly. No data is sent to any server at any point.

Common Use Cases

How to Use

  1. Choose Encode → to convert plain text to HTML entities, or ← Decode to convert entities back to plain text.
  2. Type or paste your content into the left panel — the output updates automatically as you type.
  3. Toggle Extended chars to also encode non-ASCII characters (accented letters, emoji, symbols) as numeric entities.
  4. Enable Hex format to output hexadecimal entities (&#x26;) instead of named or decimal ones. Click any chip in the reference panel to copy its entity code directly.

Frequently Asked Questions

Which characters must always be HTML-encoded?

At minimum, you must encode & (to &amp;), < (to &lt;), and > (to &gt;) when placing user data inside HTML content. Inside attribute values, you additionally need to encode " (to &quot;) or ' (to &apos;) depending on which quote delimiter the attribute uses.

What is the difference between named and numeric HTML entities?

Named entities like &copy; are human-readable shortcuts defined by the HTML specification for commonly used characters. Numeric entities (decimal &#169; or hex &#xA9;) reference the Unicode code point directly and work for any Unicode character, including those without a named entity.

Does encoding HTML entities protect against all XSS attacks?

HTML entity encoding prevents XSS when inserting content into HTML text nodes and attribute values, but it is not sufficient in all contexts. Content placed inside <script> tags requires JavaScript escaping, content in CSS requires CSS escaping, and URLs require URL encoding. Always use context-appropriate escaping and a Content Security Policy for defence in depth.

Advertisement