HTML Encoder / Decoder
Encode special characters to HTML entities or decode HTML entities back to text. Handles all named and numeric entities with live preview.
Common HTML Entities
Why Encode HTML Entities?
HTML encoding converts special characters like <, >, &, and " into their entity equivalents (< > & "). This prevents browsers from interpreting those characters as HTML markup, which is essential for displaying code snippets on web pages, preventing cross-site scripting (XSS) attacks, and safely embedding user-generated content.
Without encoding, a string like <script>alert('hello')</script> would be executed as JavaScript by the browser instead of displayed as text. Encoding it to <script>alert('hello')</script> ensures it renders as visible text. This is one of the most fundamental security practices in web development.
Common HTML Entities
| Character | Entity Name | Entity Number | Used For |
|---|---|---|---|
| & | & | & | Ampersand in text and URLs |
| < | < | < | Less-than sign, opening HTML tags |
| > | > | > | Greater-than sign, closing HTML tags |
| " | " | " | Double quotes inside attributes |
| ' | ' | ' | Single quotes (apostrophes) |
| |   | Non-breaking space |
When to Encode vs Decode HTML
Encode when you are inserting dynamic content into an HTML page, displaying user input, showing code examples, or building HTML strings in JavaScript. Any text that might contain angle brackets, ampersands, or quotes should be encoded before being placed into HTML.
Decode when you are reading HTML source and want to see the actual characters, extracting text content from HTML for use in a non-HTML context, or processing scraped web content. Decoding converts entities like & back to & and < back to <.
Frequently Asked Questions
What is XSS and how does HTML encoding prevent it?
XSS (Cross-Site Scripting) is a security vulnerability where an attacker injects malicious scripts into web pages viewed by other users. HTML encoding prevents this by converting characters like < and > into harmless entity references. The browser displays the encoded text instead of executing it as code.
Should I encode all characters or just special ones?
For most purposes, you only need to encode the five special HTML characters: & < > " and '. Regular letters, numbers, and common punctuation do not need encoding. Some tools offer full encoding that converts every character to its numeric entity, but this is only necessary in rare edge cases.
Does this tool handle Unicode characters?
Yes. Characters outside the basic ASCII range can be encoded to their numeric HTML entities (for example, © for the copyright symbol). The decoder handles both named entities like © and numeric entities like © or ©.
Related Tools
URL Encoder / Decoder
Encode and decode URLs and query parameters. Supports encodeURIComponent for params and encodeURI for full URLs
Base64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to text. Supports UTF-8 with auto-convert mode and copy buttons
JSON Formatter & Validator
Format, minify and validate JSON with syntax highlighting. Shows error locations, key count, nesting depth and size stats
Related Tools
URL Encoder / Decoder
Encode and decode URLs and query parameters. Supports encodeURIComponent for params and encodeURI for full URLs
💻 Developer ToolsBase64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to text. Supports UTF-8 with auto-convert mode and copy buttons
💻 Developer ToolsJSON Formatter & Validator
Format, minify and validate JSON with syntax highlighting. Shows error locations, key count, nesting depth and size stats
💻 Developer Tools