๐Ÿ  Home ๐Ÿ”ง Tools ๐Ÿ“ Blog ๐Ÿ‘‹ About ๐Ÿ“ฌ Contact โšก All Free Tools
๐Ÿ”ค Developer Tools โ€” Free & Instant

Free HTML Encoder & Decoder

Convert special characters to HTML entities and decode HTML entities back to plain text. Supports named, numeric (decimal) and hex entity modes with live preview.

๐Ÿ”’ Encode Entities ๐Ÿ”“ Decode Entities ๐Ÿท๏ธ Named & ๐Ÿ”ข Numeric < ๐Ÿ”ก Hex < ๐Ÿ‘๏ธ Live Preview ๐ŸŽจ Highlight ๐Ÿ“š Reference
Entity type: Named & Decimal < Hex <
Scope: Unsafe only All non-ASCII Full (every char)
โ€”
๐Ÿ“ฅ Input Text
๐Ÿ“ค Encoded Output
๐Ÿ‘๏ธ Live Browser Preview
shows how decoded output renders in browser
Preview will appear hereโ€ฆ
๐ŸŽจ Entity Highlight View
entities highlighted in orange
Encoded output with highlighted entities will appear hereโ€ฆ
๐Ÿ“š HTML Entity Reference โ€” click any to insert

What Are HTML Entities?

HTML entities are special codes used to represent characters that have a reserved meaning in HTML, or characters that cannot easily be typed on a keyboard. They begin with an ampersand (&) and end with a semicolon (;). For example, the less-than sign < must be written as &lt; in HTML to prevent it from being interpreted as the start of an HTML tag.

There are three forms of HTML entities: named entities like &amp;, &lt; and &copy;; decimal numeric entities like &#60; (for <); and hexadecimal numeric entities like &#x3C;. All three forms are supported by all modern browsers and produce identical output.

The 5 Essential HTML Characters to Escape

CharacterNamed EntityDecimalHexWhy escape it?
&&amp;&#38;&#x26;Starts all HTML entities โ€” must be encoded first
<&lt;&#60;&#x3C;Starts HTML tags โ€” creates XSS vulnerabilities
>&gt;&#62;&#x3E;Closes HTML tags
"&quot;&#34;&#x22;Breaks out of HTML attribute values
'&apos;&#39;&#x27;Breaks out of single-quoted attribute values

HTML Encoding and XSS Prevention

Cross-Site Scripting (XSS) is one of the most common web vulnerabilities. It occurs when user-supplied input containing HTML or JavaScript is inserted into a page without proper escaping. An attacker might submit a value like <script>alert('XSS')</script> which, if unencoded, executes as JavaScript in the victim's browser. Properly HTML-encoding all user input before rendering it in HTML contexts converts those characters into harmless entities that display as text.

Always encode user input at the point of output (when inserting into HTML), not at the point of input. Different contexts (HTML body, HTML attributes, JavaScript, CSS, URLs) require different escaping strategies โ€” HTML encoding alone is not sufficient inside <script> blocks or URL attributes.

HTML Encoding in Code

Most languages have built-in functions for HTML encoding. In PHP: htmlspecialchars($str, ENT_QUOTES, 'UTF-8'). In Python: html.escape(str). In JavaScript (browser): create a text node โ€” document.createTextNode(str).textContent. In Node.js: use the he or entities npm package. In Java: StringEscapeUtils.escapeHtml4(str) from Apache Commons. In C# .NET: HttpUtility.HtmlEncode(str) or WebUtility.HtmlEncode(str).