HTML Entities Encoder/Decoder

Encode and decode HTML special characters and entities.

Convert reserved HTML characters into their entity equivalents (&&) or decode an existing entity-encoded string back to plain text. Supports both named entities and numeric (decimal and hex) forms.

Common use cases: safely embedding user-typed content in templates that don't auto-escape, decoding scraped HTML for processing, prepping snippets for documentation that displays code as text, and inspecting what an old system's entity-encoded output actually says.

Decode

Encode

Frequently asked questions

When do I need to encode HTML entities?
Whenever user-supplied or external text gets rendered as HTML. The five characters that absolutely must be escaped in HTML text content are &, <, >, " and ', skipping any of them in a context where they're reserved is how you get broken markup or XSS vulnerabilities.
Why are there both named entities (&amp;) and numeric entities (&#38;)?
Named entities are easier to read; numeric (decimal or hex) entities work for any Unicode character. Modern HTML5 has named entities for over 2000 characters, but numeric is universally portable, useful when the recipient parser may be old.
Will this break my emojis or non-Latin characters?
No, only HTML-reserved characters are encoded. Emojis, CJK text, and accented Latin characters pass through unchanged unless you opt into encoding all non-ASCII.
Can this prevent XSS attacks?
Encoding is necessary but not sufficient. You still need to use context-appropriate escaping: HTML body, HTML attribute, JS string, and URL contexts each have different escaping rules. For user input rendered to HTML, prefer a templating engine that escapes by default plus a sanitizer like DOMPurify for HTML that must contain markup.