How to Encode and Decode HTML Entities
Encode special characters to HTML entities and decode them back with our free HTML Entity Encoder. Prevents XSS and displays special chars correctly.
Steps
Paste your text or HTML
Paste the text containing special characters you want to encode, or the HTML-encoded string you want to decode. The tool handles any text including HTML fragments, user-generated content, and strings with Unicode characters.
Choose encode or decode
Select Encode to convert characters like <, >, &, ", and ' to their HTML entity equivalents (<, >, &, ", '). Select Decode to convert entities back to their literal characters.
Choose encoding type
Named entities (&, <) are the most readable and widely recognised. Numeric decimal entities (&, <) work in all contexts. Numeric hexadecimal entities (&, <) are more compact. All three represent the same characters and are equivalent for browser rendering.
Click Encode/Decode
Press the button to convert your text. The output shows the encoded or decoded result. For encoding, every special character is converted to its safe entity form.
Copy the result
Copy the encoded output and use it in your HTML template, database storage, or email content. The encoded text will render correctly in browsers while preventing any embedded markup from being interpreted as HTML.
HTML Entities for Non-ASCII Characters
Beyond the five critical security characters, HTML entities are also used to represent characters that cannot easily be typed on a keyboard or that might not display correctly in all contexts. Common examples include: non-breaking space ( ), copyright symbol (© = ©), registered trademark (® = ®), em dash (— = —), left and right quotation marks (“ ” = ""), and accented characters (é = é, ñ = ñ). In modern web development with UTF-8 as the standard encoding, it is generally better practice to use the actual Unicode characters directly in your HTML rather than entity notation — they are more readable in source code and behave identically. Use entities primarily for the critical security characters and for special spacing characters like .
Context-Specific Encoding: HTML vs JavaScript vs CSS
Security-aware encoding must use the right encoding for the right context. HTML encoding prevents injection in HTML element content and attribute values. JavaScript encoding (escaping strings with \' or \" and avoiding raw HTML in JS strings) prevents injection in script contexts. CSS encoding prevents injection in style attributes. URL encoding prevents injection in href and src attributes. A single encoding function is not sufficient for all contexts — using HTML entities in a JavaScript string context does not prevent JavaScript injection. Modern web frameworks handle this automatically: React's JSX escapes HTML by default, Angular uses template bindings that escape by default, and server-side template engines like Jinja2, Handlebars, and Blade escape by default. The dangerous patterns are: using innerHTML with user data, using dangerouslySetInnerHTML in React, and using eval with user input.
Frequently Asked Questions
If you insert user-provided text directly into HTML without encoding, any HTML or JavaScript in that text will be interpreted by the browser — this is the root cause of Cross-Site Scripting (XSS) vulnerabilities. For example, if a user enters '<script>alert('hacked')</script>' as their username and you display it without encoding, that script executes in every visitor's browser. Encoding converts < to < so the browser displays it as text rather than executing it as a tag.
The five characters that must always be encoded in HTML content are: & (ampersand) → &, < (less-than) → <, > (greater-than) → >, " (double quote, in attribute values) → ", ' (single quote, in attribute values) → ' or '. Additionally, any character outside the ASCII range should be encoded if the document encoding does not support it, though UTF-8 documents can include any Unicode character directly.
No. HTML encoding converts characters to HTML entity notation (&, <) for safe inclusion in HTML documents. URL encoding (percent-encoding) converts characters to %XX notation for safe inclusion in URLs (%26 for &, %3C for <). Use HTML encoding for text in HTML contexts and URL encoding for query parameters and path segments. Both types of encoding address different injection attack vectors.