HTML Entity Encoder / Decoder Free
Escape special HTML characters (< > & " ') to their entity equivalents for safe HTML insertion, or decode HTML entities back to readable text. Supports named entities, numeric decimal, and numeric hex entities. Runs entirely in your browser.
Input
Output
Pro — bulk encode files, XSS audit mode, full Unicode entity support, API access
API access · Priority queue · Team workspace
How It Works
Paste Your Content
Paste any plain text or HTML fragment containing special characters that need escaping before HTML insertion. Common scenarios include displaying user-generated content safely in an HTML page, embedding code snippets in a blog post, creating HTML templates with dynamic content, or sanitizing data before writing it to the DOM. Click Sample to load a realistic example with angle brackets, ampersands, and quotes.
Choose Entity Style
Choose Named entities to produce human-readable output like &, <, ". Choose Numeric decimal for universal & format, or Numeric hex for & style. The "Encode ALL chars" option converts every character to its numeric entity — useful for obfuscating email addresses or embedding characters that may not render correctly in all environments.
Copy or Download
The encoded or decoded output appears in the right panel. Copy to clipboard for pasting into HTML files, template engines, CMS editors, or server-side code. The stats bar shows how many entities were encoded or decoded, which helps verify that all special characters in user-generated content have been properly escaped before insertion into HTML to prevent XSS vulnerabilities.
HTML Entity Encoder Features
Named, decimal, and hex entity encoding with XSS-safe character escaping
XSS-Safe Escaping
The five critical characters for XSS prevention — <, >, &, ", and ' — are always escaped regardless of mode. This ensures that user-generated content encoded with this tool cannot be misinterpreted as HTML tags or attribute delimiters when inserted into the DOM, preventing script injection and cross-site scripting attacks in HTML templates and server-rendered pages.
Named Entity Support
The named entity mode converts common special characters to their standard HTML named entity equivalents: &, <, >, ", ', , ©, ®, ™, —, and more. Named entities are more readable in HTML source code than numeric alternatives, making templates easier to review and audit.
Numeric Entities (Decimal & Hex)
Numeric entity modes encode every special character using its Unicode code point, either as decimal (<) or hexadecimal (<) notation. Numeric entities are supported universally in all HTML versions and are the best choice for encoding extended Unicode characters that do not have named entity equivalents, such as arrows, mathematical operators, and emoji.
Encode All Characters
The "Encode ALL chars" mode converts every character in the input to its numeric decimal entity, including ordinary letters and digits. This is used for email address obfuscation (preventing scrapers from extracting addresses embedded in HTML), encoding characters that render incorrectly in certain character set environments, or creating maximally defensive output for legacy HTML parsers that do not handle raw Unicode.
Universal Decode
The decode function handles all three entity formats simultaneously — named (&), decimal (&), and hex (&) — in a single pass. It correctly decodes mixed entity types in a single string. Decoding uses the browser's native HTML parser for maximum accuracy, including support for all 2000+ named entities defined in the HTML5 specification.
100% Private
All encoding and decoding runs in your browser. The decode function uses a hidden DOM text node — a standard browser technique — rather than a server call. No data is transmitted to any server. This makes the tool safe for encoding HTML fragments containing API responses, database content, user credentials, or proprietary code snippets that must not be exposed to third-party services.
Free vs Pro
| Feature | Free | Pro |
|---|---|---|
| Encode/decode text | ||
| Named, decimal & hex entities | ||
| File upload encode | — | |
| XSS audit (highlight risks) | — | |
| Batch encode via API | — | |
| Custom entity mappings | — |
Frequently Asked Questions
HTML entities are special character sequences that represent characters which would otherwise be misinterpreted by an HTML parser. The < and > characters are used to open and close HTML tags, so they must be escaped as < and > when used as literal text. The & character starts an entity reference and must be escaped as &. Quotes must be escaped in attribute values. Failure to escape these characters can cause HTML to render incorrectly or allow XSS attacks.
Named entities use descriptive names: & for &, < for <, © for ©. Numeric entities use the Unicode code point: decimal & for &, or hex &. Named entities are more readable in source code. Numeric entities work for every Unicode character (not just the ~250 that have named equivalents) and are supported by all HTML versions. Both are equivalent to the browser.
HTML entity encoding prevents XSS when user-generated content is inserted into HTML text content — for example, displaying a comment or username. By encoding <, >, &, ", and ', any attempt to inject script tags or event handlers is neutralized. However, entity encoding alone is not sufficient if content is inserted into JavaScript contexts, CSS, or URL attributes — those contexts require different escaping or sanitization strategies.
is the non-breaking space entity. Unlike a regular space, it prevents the browser from collapsing multiple spaces into one and prevents line breaks at that position. Use it when you need visible space between words that must stay on the same line (like "10 km"), when you need to preserve indentation in HTML that would otherwise be collapsed, or when you need a minimum-width element that should not shrink to zero width.
To display code containing angle brackets, ampersands, or quotes in HTML, place it inside a <pre><code> block and HTML-encode the content so the browser renders it as literal text rather than parsing it as HTML. Paste your code snippet into this tool, click Encode (using Named entities mode), then wrap the output in <pre><code>...</code></pre>. This is the correct approach for documentation sites, README pages, and syntax-highlighted code blocks.
Yes — all encoding and decoding runs locally in your browser. No data is transmitted to any server. For decoding, the tool uses the browser's own HTML parsing engine via a temporary DOM text node, which never makes network requests. This makes it safe to encode HTML templates containing database contents, API responses, proprietary code, and personally identifiable information that must not be shared with third-party services.