Encode special characters to HTML entities and decode HTML entities back to plain text. Supports named, decimal, and hexadecimal formats — free online tool.
HTML Entity Encoder / Decoder is a free online tool that converts special characters to their corresponding HTML entities and vice versa. It supports multiple encoding modes: minimal (only HTML-special characters), named entities (using ©, —, etc.), decimal numeric references (©), and hexadecimal references (©). The Inspect Characters feature shows the Unicode code point, decimal, hex, and named entity for each character in your input.
Use the HTML Entity Encoder when you need to safely embed user-provided text into HTML pages to prevent rendering issues or XSS vulnerabilities. The different encoding modes let you choose between minimal encoding for readability or full encoding for maximum compatibility. The character inspector is useful for debugging encoding issues and understanding Unicode characters in your content.
Web developers use HTML Entity Encoder to sanitize user input for HTML templates, convert code snippets for display in blog posts, decode entity-encoded strings from APIs, prepare text for XML/RSS feeds, and debug double-encoded entities. Email template developers use the hex encoding mode to ensure special characters render correctly across all email clients.
Essential terms and definitions related to HTML Entity Encoder / Decoder.
A special sequence of characters that represents a reserved or special character in HTML. Entities start with & and end with ;. They can be named (& for &), decimal (&), or hexadecimal (&). Entities prevent special characters from being interpreted as HTML markup and enable the display of characters not easily typed on a keyboard.
A system that maps characters to numeric values (code points) for digital storage and transmission. UTF-8 is the dominant encoding on the web, supporting all Unicode characters using 1-4 bytes per character. HTML entity encoding is a separate mechanism that works on top of character encoding to represent special HTML characters.
A web security vulnerability where an attacker injects malicious scripts into content viewed by other users. HTML entity encoding is one defense — converting < to < prevents injected <script> tags from executing. However, proper XSS prevention requires context-aware output encoding across HTML, JavaScript, URL, and CSS contexts.
Named entities use a readable name like & for &. Decimal entities use a numeric code like & and hexadecimal entities use a hex code like &. All three represent the same character but named entities are the most human-readable.
The five characters that must be encoded in HTML are: < (less than), > (greater than), & (ampersand), " (double quote), and ' (single quote/apostrophe). Encoding these prevents them from being interpreted as HTML markup or attribute delimiters.
HTML entity encoding is one layer of XSS prevention, but it should not be your only defense. Proper input sanitization requires context-aware encoding (HTML, JavaScript, URL, CSS contexts) and should be handled by your web framework security library.
The decoder supports all standard HTML5 named entities including common ones like &, <, >, and , as well as less common ones like €, ©, and mathematical symbols. Over 2,000 named entities are recognized.
Common errors developers encounter and how to resolve them.
XSS vulnerability: Script executes despite entity encoding HTML entity encoding only provides protection in HTML contexts (element content and attribute values). In JavaScript contexts (onclick, onerror event handlers, or inside <script> tags), entity encoding does not prevent XSS because the browser first decodes entities, then executes JavaScript. The correct approach: apply context-aware encoding to user input — use HTML entities for HTML context, JS string escaping for JavaScript context, and percent-encoding for URL context. This tool provides quick encoding for HTML contexts.
Double encoding issue: &amp; appearing in output If you see double-encoded entities like &amp; or &lt; in your text, the encoding operation was applied again to an already-encoded string. For example, & → & → &amp; creates a chained conversion. This typically happens when a template engine's auto-escaping feature is used together with manual encoding. Solution: ensure data is encoded only once in the encoding pipeline. Use this tool to decode and determine how many encoding layers have been applied.
Non-breaking space ( ) not decoding or leaving invisible characters The entity decodes to a non-breaking space character (U+00A0), not a regular space (U+0020). While these two characters look identical, they do not match in string comparisons and the trim() function does not remove U+00A0 characters produced by . This can cause unexpected behavior in database queries or form validation. Solution: after decoding, replace U+00A0 characters with regular spaces using str.replace(/\u00A0/g, " ").