HTML Entity Encoder / Decoder
Encode text to HTML entities and decode HTML entities back to plain text. Supports named, decimal, and hexadecimal entity formats.
<div class="box">Hello & "World" <br/> it's fine</div>
Encoded characters
| Character | Entity | Named | Decimal | Hex |
|---|---|---|---|---|
| < | < | < | < | < |
| | |   |   | |
| " | " | " | " | " |
| > | > | > | > | > |
| & | & | & | & | & |
| ' | ' | ' | ' | ' |
About HTML Entity Encoding
HTML entities are sequences that represent characters with special meaning in HTML. The five reserved HTML characters β <, >, &, ", and ' β must be escaped as entities when they appear in text content or attribute values, otherwise the browser will misinterpret them as HTML markup. Failing to escape user-provided content is one of the most common causes of XSS (Cross-Site Scripting) vulnerabilities.
HTML supports three entity formats: named entities (&, <, ©) are the most readable and cover common symbols; decimal numeric (&) and hexadecimal numeric (&) entities can represent any Unicode code point. Named entities only exist for a predefined set of characters; for everything else, numeric entities are required. The character breakdown table shows all three formats side by side for each encoded character.
All encoding and decoding runs locally in your browser. The tool supports the full Unicode range β emoji, accented characters, CJK, Greek, and mathematical symbols are all handled correctly.
Frequently Asked Questions
When do I need to encode HTML entities?
Whenever you insert untrusted text into HTML. This includes user input displayed in a page, API data rendered in templates, and any content that might contain <, >, or &. Modern templating engines (React JSX, Jinja2, Handlebars) auto-escape by default. If you bypass auto-escaping (e.g., dangerouslySetInnerHTML in React), you must escape manually.
What is the difference between named and numeric entities?
Named entities (&, ©) are human-readable aliases for specific characters. Numeric entities (© or ©) reference the Unicode code point directly and work for any character. Named entities are defined by the HTML specification; not every character has one. All modern browsers support both formats.
Is the same as a regular space?
No. is a non-breaking space (Unicode U+00A0). Unlike a regular space, it prevents line breaks between the words it separates, and multiple characters are not collapsed into one by the browser. It is used to force spacing in HTML or prevent orphaned words at line breaks.
How is HTML entity encoding related to XSS prevention?
HTML entity encoding is a key defense against reflected and stored XSS attacks. If an attacker submits <script>alert(1)</script> as input and your application outputs it without encoding, the browser executes the script. Encoding it as <script> makes the browser render it as visible text, not executable code. Always encode in the context you are outputting to (HTML, attribute, JavaScript, CSS β each has different escaping rules).