HTML Entity Encoder / Decoder

Convert special characters to their HTML entity equivalents or decode entities back to readable text. Protect your markup from rendering bugs and XSS vulnerabilities with one click.

How to Use This Tool

  1. Choose a mode — click "Encode" to convert special characters to HTML entities, or "Decode" to convert entities back to plain text.
  2. Type or paste your text or HTML markup into the input area. The output updates in real time as you type.
  3. Review the output — the converted text appears below the input, ready to copy into your code or document.
  4. Copy — click "Copy" to place the converted output on your clipboard.
  5. Clear — click "Clear" to reset both the input and output areas.

What Are HTML Entities?

HTML entities are special character sequences that represent reserved characters in HTML. Characters like <, >, & and quotation marks have syntactic meaning in HTML markup, so when you want to display them as visible text on a web page, you must replace them with entity references. For example, the ampersand character is written as &amp; and the less-than sign as &lt;. Without this encoding, the browser would interpret these characters as HTML tags or attribute delimiters, breaking your layout or creating security holes.

There are two forms of HTML entities: named and numeric. Named entities like &amp;, &lt; and &copy; use human-readable labels and are easy to recognize in source code. Numeric entities use the Unicode code point of the character in either decimal (&#38;) or hexadecimal (&#x26;) notation. While only a subset of Unicode characters have named entities, numeric entities can represent any character in the Unicode standard, including emoji and symbols from non-Latin scripts.

Encoding HTML entities is a critical defense against cross-site scripting (XSS) attacks. When user-generated content is inserted into a page without proper encoding, an attacker can inject malicious script tags that execute in other users' browsers. By converting every < and > to their entity equivalents before rendering, you ensure that untrusted input is treated as inert text rather than executable code. Modern templating engines handle this automatically, but understanding the underlying mechanism is essential for any web developer.

Frequently Asked Questions

What are HTML entities?
HTML entities are character sequences that begin with & and end with ;, used to represent characters that have special meaning in HTML or that cannot be typed directly. The five most essential entities are &amp; (ampersand), &lt; (less-than), &gt; (greater-than), &quot; (double quote) and &apos; (apostrophe). They ensure that these characters are displayed as text rather than parsed as HTML syntax.
When should I use HTML entities?
Use HTML entities whenever you embed text that might contain reserved HTML characters. This includes displaying user-submitted content, rendering code snippets inside <pre> or <code> blocks, inserting values into HTML attributes, and adding typographic symbols like the copyright sign or em dash. Most importantly, encoding untrusted input prevents XSS attacks by ensuring injected markup is rendered as harmless text.
What is the difference between named and numeric entities?
Named entities use a descriptive label (e.g. &amp; for the ampersand), while numeric entities use the Unicode code point in decimal (&#38;) or hexadecimal (&#x26;) form. Named entities are more readable but only cover a subset of characters. Numeric entities can represent any Unicode character, making them necessary for symbols and scripts that lack a named equivalent. Browsers decode both forms identically.
Why do I need to encode HTML entities?
Encoding HTML entities prevents browsers from interpreting special characters as markup. Without encoding, characters like < and > would be parsed as HTML tags, potentially breaking your page layout or creating security vulnerabilities. Encoding is especially critical when displaying user-generated content, because it neutralizes any injected script tags or malicious markup.
What is the difference between named and numeric HTML entities?
Named HTML entities use descriptive labels such as &amp; for the ampersand and &lt; for less-than, making them easy to read in source code. Numeric entities use the character's Unicode code point in decimal (&#38;) or hexadecimal (&#x26;) form and can represent any Unicode character. Named entities are limited to a predefined subset, while numeric entities cover the entire Unicode standard. Browsers render both forms identically.
Do I need to encode all special characters?
No, you only need to encode characters that have special meaning in HTML. The five essential characters to encode are the ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote ('). Other characters like letters, digits, and common punctuation are safe to use as-is. However, encoding non-ASCII characters like accented letters or symbols can improve compatibility across different systems and encodings.
What is XSS and how do HTML entities prevent it?
XSS (Cross-Site Scripting) is a security vulnerability where an attacker injects malicious scripts into web pages viewed by other users. When user input containing <script> tags is rendered without encoding, the browser executes the injected code, potentially stealing cookies, session tokens, or personal data. HTML entity encoding converts < and > to &lt; and &gt;, ensuring that any injected markup is displayed as harmless text rather than executed as code.
Guide: HTML Entities Cheat Sheet →

URL Encoder / Decoder

Encode and decode URL components with percent-encoding instantly.

Markdown to HTML

Convert Markdown syntax to clean HTML output instantly.