devtools

HTML Entity Encode / Decode

Encode and decode HTML entities in your browser — escape <, >, & and quotes, or turn named and numeric references back into text. Private, free, no upload.

Runs entirely in your browser — your data never leaves your device.

How to use HTML Entity Encode / Decode

What it does & when you need it

You need HTML entity encoding whenever text has to appear literally inside an HTML document instead of being interpreted as markup. Paste a code snippet, an error message, or a chunk of user input into a page unescaped and the browser will happily read a stray <script> as a real element. Encoding rewrites the dangerous characters as entities so they render as text; decoding does the reverse, turning &lt;, &#233;, or &copy; back into the characters they stand for. Both directions run entirely in your browser, so pasted markup and customer data never leave your machine.

Reach for it when you are escaping content before dropping it into a template, reading a scraped page whose text is full of &amp; and &nbsp;, preparing a code sample for a blog post, or debugging why a & in a query string turned into &amp;amp; somewhere in your pipeline.

How to use

  1. Pick Encode or Decode with the toggle in the toolbar.
  2. Paste your text into the left plain text / html buffer, press Sample to load a realistic example, or Upload an .html file.
  3. In Encode mode, tick Encode non-ASCII if you also want every character above code point 127 (accented letters, symbols, emoji) turned into numeric references — useful for ASCII-only channels.
  4. The result updates as you type in the right buffer. Press Ctrl/Cmd + Enter (or the Copy result button) to copy it, and use Clear to reset the input.

Things worth knowing

HTML predefines only five escapes. Despite there being thousands of named entities, the characters you actually need to escape in HTML text are just &amp;, &lt;, &gt;, &quot;, and the apostrophe as &#39;. This tool deliberately emits &#39; rather than &apos;: &apos; is defined by XML and was not part of HTML 4, so it can fail to render in older or non-conforming parsers, whereas the numeric reference is universally safe.

This is your first line of defence against XSS. Cross-site scripting — stored or reflected — happens when attacker-controlled text is interpolated into a page and the browser executes it as markup. Escaping < and & on output, in the correct context, is what neutralises it. The key word is output: encode at the moment you insert data into HTML, not when you store it, and remember that attribute values, URLs, and inline scripts each need their own escaping rules on top of this. For query strings specifically, reach for the URL Encoder rather than HTML entities.

Numeric references come in two flavours for the same character. A code point can be written in decimal, like &#169;, or in hexadecimal, like &#xA9; — both resolve to U+00A9, the copyright sign ©. The decoder here accepts either form (and an uppercase &#X…;), so you can throw mixed content at it and get consistent output.

Named entities are convenient but optional. Friendly names such as &nbsp;, &mdash;, and &euro; are easier to read, but the full HTML named-character list runs past 2,000 entries, and no tool memorises all of them. Numeric references sidestep the lookup table entirely: any Unicode code point can be written as &#N; and it will always decode, which is why encoders lean on them for anything outside the common set. If you prefer to inspect characters as \u-style escapes instead, the Unicode Escape tool covers that representation, and the Base64 Encode / Decode tool handles the binary-to-text case entirely differently.

A last gotcha: encoding is not idempotent. Because & is itself escaped to &amp;, running Encode twice turns &lt; into &amp;lt;. If you see doubled entities in production output, something in the chain is escaping already-escaped text — decode once and check where the extra pass came from.

Examples

Escape an HTML snippet

<a href="?q=a&b">Ben & "Jerry's"</a>

Encode mode turns markup and quotes into safe, displayable text.

Decode named and numeric entities

Caf&#233; &copy; 2026 &mdash; 50&nbsp;&euro;

Switch to Decode mode to read the original characters back.

Frequently asked questions

Which characters must I escape in HTML?

In HTML text you must escape & and < at minimum; > , " and ' are escaped defensively so the same output is safe inside attributes too. Those five — &amp; &lt; &gt; &quot; &#39; — are the only escapes HTML predefines, and this tool emits exactly them.

Does encoding HTML entities prevent XSS?

Escaping & and < on output stops text from being parsed as markup, which neutralises stored and reflected XSS in an HTML text context. It is not a complete defence on its own: attribute values, URLs, and inline scripts each need their own escaping in addition to this.

What is the difference between decimal and hexadecimal entities?

They are two spellings of the same code point. Decimal uses &#169; and hexadecimal uses &#xA9;, and both resolve to U+00A9, the copyright sign ©. The decoder accepts either form, including an uppercase &#X…; prefix.

Why does &#39; show instead of &apos;?

&apos; is defined by XML and was not part of HTML 4, so it can fail to render in older or non-conforming parsers. The numeric reference &#39; means the same apostrophe and works everywhere, so the encoder uses it.

Why do I see &amp;amp; in my output?

That is double encoding. Because & is itself escaped to &amp;, running encode on already-escaped text turns &lt; into &amp;lt;. Decode the string once and find where the extra escaping pass was added in your pipeline.