← Back to tools

HTML Entity Encoder / Decoder

Convert special characters to HTML entities or decode them back.

Input
Output
Common entities: &amp; → &   &lt; → <   &gt; → >   &quot; → "   &apos; → '   &nbsp; → (space)   &copy; → ©   &mdash; → —

HTML entities are special codes that represent characters which have reserved meaning in HTML. The angle brackets < and > define HTML tags, so to display them as literal text you must encode them as &lt; and &gt;. The ampersand & itself becomes &amp;.

Beyond reserved characters, entities are also used for characters not available on a standard keyboard — like &copy; (©), &mdash; (—), &euro; (€), and Unicode characters like &#9829; (♥). Named entities are easier to read; numeric entities (&#60;) work for any Unicode code point.

Proper encoding prevents XSS (Cross-Site Scripting) attacks where malicious <script> tags are injected into user-generated content. Any user input displayed in HTML should always be entity-encoded first. This tool handles both encoding and decoding for quick reference and testing.

This tool in other languages:

Français:
Encodeur d'entités HTML

Español:
Codificador de entidades HTML

Deutsch:
HTML-Entity Encoder

Português:
Codificador de entidades HTML

日本語:
HTMLエンティティエンコーダー

中文:
HTML 实体编码工具

한국어:
HTML 엔티티 인코더

العربية:
مشفر كيانات HTML

Frequently asked questions

How do I encode HTML entities online?

Paste your text in the input box and click Encode →. Characters like <, >, &, and " are converted to their HTML entity equivalents (&lt;, &gt;, &amp;, &quot;), making text safe to embed in HTML.

What is the difference between named entities and numeric entities?

Named entities use a readable name (&amp; for &, &copy; for ©). Numeric entities use a Unicode code point (&#38; or &#x26;). Numeric entities work for any character; named entities only exist for a subset. This tool supports both encoding and decoding.

How do I decode HTML entities back to plain text?

Paste text containing entities (named or numeric) into the input and click ← Decode. Useful for reading scraped HTML, debugging CMS exports, or checking what entities a rich text editor produced.

When should I HTML-encode text?

Any time user-generated content is rendered inside HTML. Unencoded <script> tags in user input = cross-site scripting (XSS) vulnerability. Most modern frameworks (React, Vue, Angular) encode by default, but if you're building raw HTML strings or using innerHTML, you need to encode manually.

Does HTML encoding prevent all XSS attacks?

It prevents injection in HTML body context, but not in every context. Attributes, JavaScript strings, URLs, and CSS each require different escaping. Full XSS prevention requires context-aware encoding — use your framework's built-in escaping rather than manual entity encoding for security-critical code.