HTML Entity Encoder/Decoder
Encode special characters like <, >, &, and quotes into their HTML entity equivalents, or decode HTML entities back to readable text. Essential for safely embedding content in HTML, preventing XSS attacks, and working with web content.
How to use
- Paste your text or HTML snippet into the input box.
- Choose Encode to convert reserved characters like <, >, &, and quotes into HTML entities.
- Use Decode to turn entity-encoded strings (for example, &lt;div&gt;) back into readable text.
- Copy the result into your template, CMS editor, or Markdown where escaping is required.
- When debugging, check for double-encoding issues (like &amp;) by decoding once and comparing outputs.
FAQ
When should I HTML-escape text?
Escape text when inserting untrusted or user-generated content into HTML so it’s treated as text, not markup.
Does encoding HTML entities prevent XSS by itself?
Escaping helps in text contexts, but XSS prevention depends on correct, context-aware encoding (HTML, attributes, URLs, JS). Follow your framework’s escaping guidelines.
Can I decode HTML entities from an email or CMS export?
Yes. Paste the entity-encoded text and use Decode to restore readable characters.
Is my input sent to a server for encoding/decoding?
No. Encoding/decoding runs entirely in your browser; your content stays local.
What’s the difference between named and numeric entities?
Named entities look like &nbsp; and numeric entities look like   (or hex like  ). Both represent characters safely in HTML.