Skip to content
Processing locally — files never leave your device

HTML Encoder / Decoder

Convert special characters to their HTML entity equivalents (&, <, >, ", ') and decode them back to plain text.

How to use HTML Encoder

  1. Paste the text or HTML you want to convert into the input box.
  2. Click Encode to replace special characters with their HTML entities, or Decode to turn entities back into plain characters.
  3. Review the output to confirm the five reserved characters (& < > " ') are handled as you expect.
  4. Copy the result and paste it into your HTML, template, or documentation.
  5. For untrusted user input, encode it server-side before it is ever written into a page to prevent XSS.

HTML entity encoding and decoding explained

HTML encoding converts characters that have a special meaning in markup into entity references so the browser displays them as literal text instead of interpreting them as code. This tool encodes plain text into safe HTML and decodes entities back into readable characters, in both directions, entirely in your browser.

The five reserved characters

&  ->  &amp;
<  ->  &lt;
>  ->  &gt;
"  ->  &quot;
'  ->  &#39;

These are the characters HTML uses to delimit tags and attributes. If a user types 1 < 2 && 3 > 2 and you place it on a page without encoding, the browser will try to read < 2 as the start of a tag. Encoding turns it into harmless text.

Why this is a security control, not just formatting

The most common web vulnerability — cross-site scripting (XSS) — happens when untrusted input is written into a page without encoding. Imagine a comment field where someone submits <script>steal()</script>. Render it raw and every visitor runs that script. Encode it on output and the browser shows the literal text instead. Output encoding is the front-line defence, which is why frameworks like React auto-escape by default.

Named vs numeric entities

Every encodable character can be written three ways: a named entity (&copy;), a decimal numeric reference (&#169;), or a hexadecimal one (&#xA9;) — all of which render as ©. Named entities are more readable but only exist for a fixed set of characters. Numeric references work for any Unicode code point, making them the universal fallback.

Encoding vs Unicode

If your document declares <meta charset="utf-8">, you do not need to escape accented letters, currency symbols, or emoji — you can type them directly and they will render correctly. Reserve entities for the five characters that affect parsing, plus the occasional non-breaking space (&nbsp;) or invisible character you want to make explicit in source.

When to encode vs decode

Encode when you are putting text into HTML: user content, code samples in a blog post, or values inside attributes. Decode when you have received HTML-encoded text — for instance scraped from a page or pulled from an API — and want the original plain string back. This tool handles both, so you can round-trip text safely either way.

Related SEO tools

Frequently asked questions

Which characters get escaped?
The five reserved HTML characters: ampersand (&amp;), less-than (&lt;), greater-than (&gt;), double quote (&quot;), and apostrophe (&#39; or &apos;). Encoding these is the minimum needed to safely place arbitrary text inside HTML markup or attribute values.
When should I HTML-encode user input?
Whenever you render untrusted text into an HTML page. Encoding output is the single most effective defence against cross-site scripting (XSS), because it stops a string like <script> from being interpreted as a real tag.
What is the difference between named and numeric entities?
Named entities use a mnemonic (&amp; &lt; &copy;); numeric entities use the character code (&#38; &#60; &#169;) in decimal or hex (&#x26;). Both render identically. Numeric entities work for any Unicode character even when no named entity exists.
Do I need to encode every non-ASCII character?
No. If your page is served as UTF-8 (which it should be), you can write characters like é, ©, or emoji directly. Entities are only required for the reserved characters and are useful for invisible or ambiguous ones.
Why escape the apostrophe as &#39; instead of &apos;?
Both are valid in HTML5, but &apos; was not defined in HTML4, so &#39; (the numeric reference) is the safer, more universally supported choice — particularly inside single-quoted attribute values.
Is HTML encoding the same as URL encoding?
No. HTML encoding protects characters inside HTML markup (& becomes &amp;). URL encoding (percent-encoding) protects characters inside a URL (a space becomes %20). They use different rules and contexts — use the right one for where the text will live.
Does encoding change how text looks to readers?
No. &amp; renders on screen as a plain ampersand. Encoding only changes the underlying source so the browser parses your intent correctly; the visible output is unchanged.
Is HTML encoding alone enough to stop all XSS?
It stops the most common reflected and stored XSS in HTML body context, but context matters. Text placed inside a URL attribute, inline script, or CSS needs context-specific escaping. Encoding for HTML is necessary but should be combined with a sound Content-Security-Policy.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About