HTML Encoder / Decoder
Encode HTML special characters to entities or decode entities back to HTML. Essential for web developers.
Common HTML entities reference
| Character | Entity |
|---|---|
| & | & |
| < | < |
| > | > |
| " | " |
| ' | ' |
| © | © |
| ® | ® |
| ™ | ™ |
| (non-breaking space) | |
| — | — |
How to use HTML Encoder / Decoder
The HTML Encoder / Decoder converts special characters to HTML entities and back again. Characters such as <, >, &, " and ' have reserved meaning in HTML markup and must be replaced with their entity equivalents (<, >, &, ", ') before being inserted into HTML documents. This prevents cross-site scripting (XSS) vulnerabilities and ensures that user-generated content displays correctly in browsers.
- Paste the text you want to encode or decode into the input field.
- Click Encode to replace HTML special characters with safe entity references.
- Click Decode to convert HTML entities back to their original characters.
- Optionally enable "Encode all non-ASCII" to also convert accented and Unicode characters to numeric entities (&#NNNN;).
- Copy the safe output ready for insertion into your HTML template or source code.
Your data never leaves your device — 100% private processing.
Named vs numeric HTML entities
HTML entities come in two forms: named entities such as & and ©, and numeric entities in decimal (©) or hexadecimal (©) form. Named entities are defined by the HTML specification and cover common typographic and international characters. Numeric entities can represent any Unicode code point, making them universally applicable even when no named entity exists. All modern browsers support both forms.
| Character | Named entity | Decimal entity | Use case |
|---|---|---|---|
| < | < | < | Tag-like text in content |
| > | > | > | Closing angle brackets |
| & | & | & | Literal ampersand |
| " | " | " | Quotes inside attribute values |
| ' | ' | ' | Single quotes in attributes |
| © | © | © | Copyright symbol |
| — | — | — | Em dash in typography |
HTML encoding and XSS prevention
Cross-site scripting (XSS) occurs when an attacker injects script tags or event handlers into a page by supplying input that contains HTML syntax. If user-supplied text is rendered into a page without encoding, a string like <script>alert(1)</script> executes as JavaScript. Encoding transforms < to < and > to >, making the injected markup display as inert text. Server-side templating engines (Jinja2, Blade, Thymeleaf) HTML-encode by default; raw output functions such as {{ raw }} bypass this protection and should be used with great caution.
Glossary
- HTML entity
- A text sequence starting with & and ending with ; that represents a special character in HTML.
- XSS
- Cross-Site Scripting — an attack that injects malicious scripts into web pages by exploiting unencoded output.
- Named entity
- An HTML entity identified by a human-readable name, such as & for the ampersand character.
- Numeric entity
- An HTML entity identified by its Unicode code point in decimal (&#N;) or hex (&#xN;) form.
- Sanitization
- Removing or neutralising dangerous HTML constructs (scripts, event handlers) from untrusted input.
Related reading
Frequently Asked Questions
Get weekly tool tips & updates
New tools, power-user tips, and productivity hacks — delivered free every Friday.
No spam, ever. Unsubscribe with one click.
Why use HTML Encoder / Decoder?
- No installation — use directly from any browser
- Handles large inputs without crashing or timeouts
- Syntax highlighting and formatted output for readability
- Copy to clipboard shortcut for fast workflow integration
Common use cases
- Validate and format JSON responses from APIs
- Encode/decode Base64 strings during debugging
- Generate UUIDs for database seeds or test data
- Minify CSS or JavaScript before deployment
- Diff two code snippets to spot regressions
Related Developer Tools
URL Encoder / Decoder
Encode and decode URLs and URL components online. Convert special characters to percent-encoding and back instantly — free, private, and fast.
Base64 Encoder & Decoder
Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.
JSON Formatter & Validator
Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.
Regex Tester
Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes online. Hash text or files privately in your browser.
Hash Generator
Generate cryptographic hashes online. Support for SHA-1, SHA-256, SHA-384, and SHA-512. Instant, secure, client-side.
Explore all Developer Tools.