HTML Entity Encoder / Decoder

HTML entities are special character sequences that represent reserved or hard-to-type characters in HTML documents. Every entity begins with an ampersand (&) and ends with a semicolon (;). The five characters that must always be encoded in HTML content are the less-than sign (<), greater-than sign (>), ampersand (&), double quote ("), and single quote ('). Without encoding, these characters are interpreted as HTML syntax rather than literal text, which can break your page layout or — far worse — open the door to security vulnerabilities.

Three Formats: Named, Numeric, and Hexadecimal

HTML supports three entity formats that all produce the same result in the browser. Named entities use a human-readable alias defined in the HTML specification, such as & for the ampersand or © for the copyright symbol. They are easy to read and remember but not every Unicode character has a named entity. Numeric (decimal) entities use the Unicode code point in base-10, written as &. Hexadecimal entities use base-16, written as &. Numeric and hex entities can represent any Unicode character, making them universally applicable even when a named alias does not exist.

Preventing Cross-Site Scripting (XSS) Attacks

Cross-site scripting is one of the most common web security vulnerabilities, consistently appearing in the OWASP Top 10. It occurs when an attacker injects malicious HTML or JavaScript into a web page — typically through user-generated input fields like comments, search boxes, or profile bios. If the application renders that input without encoding, the browser executes the injected script as if it were part of the legitimate page, allowing the attacker to steal cookies, hijack sessions, redirect users, or deface the site. Encoding user input so that < becomes < and > becomes > is the first and most fundamental defense against XSS. The browser then displays those characters as literal text rather than interpreting them as tag delimiters. This tool lets you test encoding output before integrating it into your sanitization pipeline.

Common Use Cases for HTML Entity Encoding

Beyond security, HTML entities serve many practical purposes in everyday web development. When writing code samples inside <pre> or <code> blocks, you must encode angle brackets so the browser displays them as text instead of parsing them as tags. Email templates often use entities to guarantee correct rendering across email clients that strip certain characters. Content management systems encode user submissions before storing or displaying them to prevent markup injection. RSS and Atom feeds require encoded content within CDATA sections. And entities like  , —, ©, and € are frequently used in text to insert special typographic and currency symbols that are not available on every keyboard layout.

Encode All vs. Encode Special Characters Only

This tool offers two encoding scopes. The "Special only" mode encodes just the five HTML-reserved characters — this is the most common approach and keeps your output readable while making it HTML-safe. The "All characters" mode converts every non-ASCII character and even basic letters into their entity representation, which is useful when you need to guarantee the output is pure 7-bit ASCII. This can be helpful when embedding HTML in environments that do not fully support UTF-8, such as certain legacy email systems, older databases with limited character set support, or when debugging encoding issues where you want to make every character's code point explicitly visible.

How This Tool Works

This HTML entity encoder and decoder runs entirely in your web browser using client-side JavaScript. No data is transmitted to any server. In encode mode, the tool scans your input character by character and replaces each eligible character with the corresponding HTML entity in your chosen format (named, numeric, or hexadecimal). Named entities are used when available; characters without a named entity fall back to numeric or hex representation. In decode mode, the tool parses all entity formats — named, numeric, and hex — and converts them back to their original characters. Conversion happens in real time as you type, so you can see results instantly without clicking a submit button.

Frequently Asked Questions

What are HTML entities used for?
HTML entities encode characters that have special meaning in HTML (like < and &) so they display as literal text. They also insert symbols not found on a standard keyboard, such as ©, €, and →. Proper encoding is essential for preventing XSS attacks and ensuring correct page rendering.

What is the difference between named and numeric entities?
Named entities like & use a human-readable alias. Numeric entities like & use the character's decimal Unicode code point. Hex entities like & use the hexadecimal code point. All three render identically in browsers.

How do HTML entities prevent XSS?
By converting < and > to < and >, user-supplied input cannot be interpreted as HTML tags or script elements. The browser displays the encoded characters as plain text instead of executing them.

Is my data sent to a server?
No. This tool processes everything locally in your browser using JavaScript. Your input never leaves your device. There is no backend, no logging, and no data storage of any kind.

This encoder and decoder is free to use with no sign-up required. Paste your HTML, choose your encoding options, and get instant results. Bookmark this page and use it whenever you need to sanitize HTML content or look up entity codes.