HTML Entity Encoder & Decoder
Encode and decode HTML entities like & < >
Frequently Asked Questions
What are HTML entities?
HTML entities are sequences like &, <, >, " that represent characters with special meaning in HTML (&, <, >, "). Encoding them as entities lets browsers display the literal character instead of parsing it as a tag or attribute boundary.
When do I need this tool?
Displaying user comments inside HTML without letting them inject markup; adding a baseline XSS defense at the rendering layer; preserving special characters (©, ®) in email templates for broad client support; decoding double-encoded strings (&amp;) scraped from other pages.
Named entities or numeric entities?
Both. Named entities (©) are the most readable; numeric entities (decimal © or hex ©) are the most compatible. Toggle between them when encoding; decoding accepts either form.
Does HTML entity encoding fully prevent XSS?
No. It only covers "write to an HTML text node" contexts. Attribute, JavaScript, and URL contexts each require their own escaping rules. Treat HTML entities as one layer of defense, combined with CSP and input validation.
Is my data safe?
Encoding and decoding run locally in the browser, so user comments and internal email templates are never uploaded.
How is this different from URL encoding or JavaScript string escapes?
HTML entities: ensure a character renders as text, not markup. URL encoding: keep a character legal inside URL syntax. JS string escapes: make a character legal inside a JS string (\n, \u00A9). Each addresses a different context and they are not interchangeable.