HTML Entity Encoder / Decoder
Escape text for safe use in HTML, or decode entities like & back to readable characters.
About the HTML Entity Encoder / Decoder
Five characters have special meaning in HTML: <, >, &, ", and '. Put them in a page as raw text and the browser interprets them as markup instead of showing them. Entity encoding replaces them with safe representations like < so they display as characters.
Encode when you need to show code, markup, or user supplied text inside an HTML page. Decode when you have text from a feed, a scraper, or a database export that arrived full of & and 'and you want it readable again. Decoding here uses the browser's own parser, so every named and numeric entity is understood.
The security angle matters: failing to encode user input before putting it in HTML is the root cause of cross site scripting (XSS). Frameworks like React do this encoding automatically; if you are building HTML strings by hand, you must do it yourself.
Reach developers and designers who use these tools every day. Privacy-first, no trackers.
Frequently asked questions
Which characters must be encoded in HTML?
At minimum: < > & inside content, plus quotes inside attribute values. This tool encodes all five special characters, which is safe everywhere. Other unicode characters do not need encoding in UTF-8 pages.
What is the difference between &#39; and &apos;?
Both represent an apostrophe. ' is the numeric form and works everywhere; ' is a named entity that was not defined in older HTML versions. This tool emits the numeric form for maximum compatibility.
Does encoding protect against XSS?
Encoding user input before inserting it into HTML content prevents the most common form of XSS. It is not sufficient for every context: URLs, JavaScript strings, and CSS need their own escaping rules.