← All tools

HTML Entities Encoder / Decoder

Encode special characters like <, >, and & to safe HTML entities, or decode entities back to readable text. Converts instantly in your browser.

All processing is client-side — your data never leaves your browser.
Plain Text Input
HTML Entities Output
Result will appear here...

About HTML Entities

Why Encode HTML Entities?

HTML parsers interpret characters like <, >, and & as markup. If you embed user input directly into HTML without encoding, those characters break the document structure and create XSS vulnerabilities. Encoding converts them to safe representations the browser renders as text, not tags.

XSS Prevention

Cross-site scripting (XSS) attacks inject malicious <script> tags via unescaped input fields, URL parameters, or API responses rendered in the DOM. Always encode user-supplied strings before inserting them into HTML. This tool encodes the five critical characters: &, <, >, ", and '.

Safe Decoding Method

Decoding uses a browser-native technique: a hidden <textarea> element parses the entity string and returns .value, which is always plain text. This is safer than regex-based replacement because the browser's own parser handles edge cases and numeric entities like &#169; automatically.

Common HTML Entities Reference

Character Entity Name Numeric Description
& &amp; &#38; Ampersand — must always be encoded in HTML
< &lt; &#60; Less-than — opens HTML tags
> &gt; &#62; Greater-than — closes HTML tags
" &quot; &#34; Double quote — delimits attribute values
' &#39; &#39; Single quote / apostrophe — used in attribute values
` &#96; &#96; Backtick — can be used in legacy attribute injection
© &copy; &#169; Copyright symbol
  &nbsp; &#160; Non-breaking space

How to use

  1. 1
    Enter your text

    Paste the HTML containing entities to decode, or type plain text containing special characters to encode.

  2. 2
    Choose Encode or Decode

    Click "Encode" to convert <, >, &, ", ' to HTML entities, or "Decode" to convert entities back to characters.

  3. 3
    Copy the result

    Use the Copy button to grab the output.

Frequently asked questions

What are HTML entities?

HTML entities are text representations of characters that have special meaning in HTML. For example, < is the less-than sign and would start an HTML tag if written directly, so it must be written as &lt; to display as literal text. Similarly, & becomes &amp;, > becomes &gt;, " becomes &quot;, and ' becomes &apos;.

When should I encode HTML in my application?

You must encode any user-provided input before inserting it into HTML to prevent Cross-Site Scripting (XSS) attacks. If a user enters <script>alert('xss')</script> and you display it unencoded, the script executes. Encoding it makes it display as literal text instead.

Which characters are most important to encode?

The five characters with special HTML meaning are: < (tag start), > (tag end), & (entity start), " (attribute delimiter), and ' (attribute delimiter in some contexts). Most templating engines handle this automatically — this tool is for cases where you need to do it manually.

What is the difference between HTML encoding and URL encoding?

HTML encoding protects characters inside HTML documents (&amp;, &lt;, etc.). URL encoding (percent-encoding) protects characters inside URLs (%26, %3C, etc.). They serve different purposes and the encoded forms are different.