HTML Entity Encoder & Decoder
What this tool does
This page helps you convert between plain text and HTML entity references:
- Encode: turns reserved characters (like
<,>,&, quotes) into entity references so the browser shows them as text instead of treating them as markup. - Decode: turns entity references (named like
&and numeric like©) back into the characters they represent.
Use it when you need to safely display user-generated text in HTML, debug template output, or convert copied HTML source into readable characters. For security: encoding is one part of preventing cross-site scripting (XSS), but you must also apply the correct escaping for the context (HTML text vs attribute vs JavaScript vs URL).
How to use (quick steps)
- Paste or type text into the Input box.
- Select an action: Encode or Decode.
- Read the output in Result, then use Copy result.
Tip: If you paste already-encoded strings (for example <) and click Encode again, you may “double-encode” the ampersand (becoming &lt;). That is expected—see Limitations & assumptions.
Why HTML entities matter
HTML uses certain characters to define structure:
<starts a tag (e.g.,<div>)&starts an entity reference (e.g.,&)"and'often delimit attribute values
If those characters appear in content that is meant to be displayed literally (for example showing a code snippet, or displaying a user’s message), they can break the document structure or introduce XSS risk. Entity encoding replaces those characters with safe sequences that the browser interprets as literal text.
Named vs numeric entities
HTML supports two main forms of entity references:
- Named entities: human-readable names, e.g.,
©→ © - Numeric entities: code points in decimal or hex, e.g.,
©or©→ ©
Numeric references map directly to Unicode code points. Conceptually, decoding a numeric entity converts an integer code point into a character.
Formulas (reference)
A numeric entity in decimal form uses a code point :
A numeric entity in hexadecimal form uses the same code point written base-16:
Where is the hexadecimal representation of . (For example, 169 decimal equals A9 hexadecimal.)
Comparison table
| Type | Example | Pros | Cons | Typical use |
|---|---|---|---|---|
| Named entity | & → & |
Readable, common for core reserved characters | Not every Unicode character has a named entity | Escaping HTML-reserved characters |
| Numeric (decimal) | © → © |
Works for any Unicode code point | Harder to read | Interchange where named entity may be unknown |
| Numeric (hex) | 😀 → 😀 |
Compact for some ranges; common in dev tools | Harder to read than named entities | Debugging, code snippets, documentation |
Worked examples
Example 1: Encode for safe display in HTML
Input:
<script>alert("XSS")</script> & friendsEncoded output (what you can safely display as text in an HTML page):
<script>alert("XSS")</script> & friendsInterpretation: The browser will render the literal characters <script>... as text instead of executing them as markup.
Example 2: Decode HTML entities copied from source
Input:
Tom & Jerry © 1990Decoded output:
Tom & Jerry © 1990Example 3: Double-encoding behavior (common pitfall)
Input:
<div>Encode output:
&lt;div&gt;This is expected: the ampersand in < is itself a reserved character, so it is encoded again.
Interpreting the result
- If your goal is displaying text inside HTML, the most important characters to encode are
&,<,>,", and'. (Some contexts require additional escaping.) - If you are decoding and the output still contains sequences like
<, it may be because the input was double-encoded (e.g.,&lt;). - Whitespace and newlines should be preserved in the output display; when copying, you’ll get the exact output string.
FAQ
Should I use named or numeric entities?
For the core reserved characters (&, <, >, quotes), named entities are conventional and readable. Numeric entities are useful when a character doesn’t have a named entity or when you prefer a direct code-point form.
Does decoding turn < into <?
Yes. Decoding converts valid entity references into their literal characters. If you have &lt;, decoding once yields <; decoding twice yields <.
Is this enough to prevent XSS?
It helps for HTML text-node context, but XSS prevention depends on context. For example, values placed inside JavaScript, CSS, or URLs require different escaping/encoding rules. Always use your framework’s recommended output-encoding functions for the exact context.
Will this convert every Unicode character into an entity?
No. Encoding here focuses on the characters that must be escaped for HTML structure. Most Unicode characters can be left as-is in UTF-8 pages. If you need “encode everything to numeric entities,” you’d use a different mode/tool.
Limitations & assumptions
- Encode scope: Encoding targets the most important HTML-reserved characters (
&,<,>,",'). It does not attempt to convert all non-ASCII characters into numeric entities. - Double-encoding: If you encode text that already contains entity references, the ampersand in those references will be encoded (e.g.,
<→&lt;). - Decoding validity: Decoding relies on the browser’s HTML parser behavior. Invalid/incomplete entities may remain unchanged or be interpreted differently depending on exact syntax.
- Context matters: This tool is for HTML entity encoding/decoding, not for JavaScript string escaping, URL encoding, SQL escaping, or CSS escaping.
- Clipboard support: Copy uses the Clipboard API when available; some browsers or privacy settings may block programmatic clipboard writes.