HTML Entity Encoder & Decoder
Encode special characters like angle brackets, ampersands, and quotes into safe HTML entities, or decode entities such as & and ’ back into readable text. Decoding understands both named and numeric entities. Everything runs locally in your browser, so snippets and scraped content never leave your device.
How it works
HTML entities are how special characters are written safely inside HTML: < for the less-than sign, & for the ampersand, © for the copyright symbol. This tool works in both directions. Encode mode escapes the five characters that can break or change markup (ampersand, angle brackets, and both quote styles), and can optionally escape every non-ASCII character as a hex numeric entity. Decode mode turns entities back into readable text.
Decoding uses the browser's own HTML parser through DOMParser, which knows the full table of more than two thousand named entities, so obscure names like ’ and … decode correctly, alongside decimal and hex numeric forms. Parsing happens as inert document text; scripts in the input are never executed, and nothing you paste leaves your browser.
The optional non-ASCII escaping iterates by Unicode code point, so an emoji or any character outside the Basic Multilingual Plane becomes one entity such as 😀 rather than two broken surrogate halves. That output is useful when a file must survive transport through systems that mangle UTF-8.
How to use it
- Choose Encode to escape plain text for HTML, or Decode to turn entities back into text.
- Paste your text into the input box.
- In encode mode, tick the non-ASCII option if accented letters, symbols, or emoji should become numeric entities too.
- Read the result in the output panel and click Copy output.
Worked examples
Input: Encode: <a href="page.html">Tom & Jerry</a>
Output: &lt;a href=&quot;page.html&quot;&gt;Tom &amp; Jerry&lt;/a&gt;
All five unsafe characters are replaced, so the string can be shown inside a page as text.
Input: Decode: caf&eacute; &#8211; 3&#x2030;
Output: café – 3‰
Named, decimal, and hex entities all decode in one pass.
Edge cases and limits
- Decoding needs a browser environment because it relies on DOMParser; the output panel fills in after the page has loaded.
- Decode mode parses the input as HTML text, so actual tags in the input are dropped rather than preserved; it extracts the text content.
- Encode mode always escapes all five unsafe characters; there is no option to leave quotes alone for element-content-only escaping.
- Escaping is context-blind. Text destined for a URL, a CSS string, or a script block needs that context's own escaping rules, not HTML entities.
Common mistakes
- Double-encoding: running already-encoded text through encode again turns &amp; into &amp;amp;, which renders as a visible &amp;. Decode first if you are unsure what state the text is in.
- Escaping an entire HTML document and expecting it to still render. Encoding is for untrusted text placed inside markup, not for the markup itself.
- Relying on hand-escaping for security in production code instead of the templating engine's automatic, context-aware escaping.
Frequently asked questions
Which characters must be escaped in HTML?+
At minimum the ampersand, less-than, and greater-than characters, because they start entities and tags. Inside attribute values you should also escape double and single quotes. This tool escapes all five by default, which is the safe set for both element content and attributes.
What is the difference between named and numeric entities?+
A named entity uses a mnemonic like &copy; for the copyright sign, while a numeric entity uses the character's Unicode code point, like &#169; or hex &#xA9;. Browsers treat them identically. The decoder here accepts both forms; the encoder emits named entities for the common five and numeric entities when you enable non-ASCII escaping.
Can this tool help prevent cross-site scripting (XSS)?+
Escaping untrusted text before inserting it into HTML is a core XSS defence, and this tool shows exactly what that output looks like. For production code, use your framework's built-in escaping or templating rather than hand-escaping strings, since context matters: attributes, URLs, and scripts each need different rules.
Why does my decoded text show a question mark or box instead of a symbol?+
The entity decoded correctly to a Unicode character, but the font you are viewing it in has no glyph for it. Copy the output into the destination application; the character itself is intact.
Related tools
More Developer tools that run entirely in your browser.