Your data is never sent to a server or stored anywhere. All processing happens in your browser.

HTML Entity Encoder / Decoder — Escape Special Chars

Mode
Output

How to Use

Type or paste text into the input area. In Encode mode, special HTML characters (&, <, >, ", ') are converted to their entity equivalents. In Decode mode, HTML entities are converted back to their original characters. Supports named entities (&amp;, &lt;, &copy;), decimal (&#65;), and hexadecimal (&#x41;) numeric references.

HTML Entities

HTML entities are special codes used to represent characters that have meaning in HTML markup. For example, < and > define HTML tags, so to display these characters as text, you must use &lt; and &gt;. The ampersand (&) starts every entity, so it must be written as &amp;. Entities are essential for preventing XSS vulnerabilities and ensuring HTML renders correctly.

Use Cases

  • XSS (cross-site scripting) prevention — escape user input before rendering it in HTML
  • Embedding code snippets in blog posts — display tag characters correctly inside <pre> blocks
  • Building HTML email templates — ensure special characters render consistently across email clients
  • CMS content sanitization — neutralize HTML syntax in user-submitted posts and comments

Commonly Used HTML Entities

  • &amp; → & (ampersand) — the starting character of every entity
  • &lt; → < / &gt; → > (angle brackets) — required to distinguish from HTML tags
  • &quot; → " (double quote) — used inside attribute values
  • &apos; → ' (single quote) — used inside attributes and JavaScript strings
  • &nbsp; → non-breaking space — a space that prevents line breaks
  • &copy; → © / &reg; → ® — copyright and registered trademark symbols
  • &mdash; → — / &ndash; → – — em dash and en dash
  • &hellip; → … — horizontal ellipsis

Privacy

All encoding and decoding happens entirely in your browser. No data is sent to a server, stored, or logged. You can safely encode HTML containing sensitive content.

FAQ

What is the difference between HTML entity encoding and URL encoding?

HTML entity encoding escapes characters that have meaning in markup (&, <, >, quotes) so they display as text, e.g. < becomes &lt;. URL encoding (percent-encoding) escapes characters for use inside a URL, e.g. a space becomes %20. This tool does HTML entity encoding only, not URL encoding.

Is it safe to encode HTML that contains private or sensitive text?

Yes. All encoding and decoding runs entirely in your browser — nothing is uploaded, logged, or stored on a server. You can safely process text that includes internal content or personal data.

Does decode support both decimal and hexadecimal numeric references?

Yes. Decode mode handles named entities (&amp;, &lt;, &copy;), decimal numeric references such as &#65;, and hexadecimal references such as &#x41; — all three resolve back to their original characters.

Which characters does Encode mode actually escape?

Encode mode escapes the five characters that are significant in HTML: & (&amp;), < (&lt;), > (&gt;), " (&quot;), and ' (&apos;). Ordinary letters, numbers, and most symbols are left unchanged.

Can I use this to prevent XSS in user-generated content?

Encoding special characters before inserting untrusted text into HTML is a key part of XSS prevention, and this tool produces correctly escaped output. For production, apply escaping in your own code at render time rather than pre-encoding stored data.