UseToolSuite UseToolSuite

HTML Entity Encoder / Decoder

Encode special characters to HTML entities and decode HTML entities back to plain text. Supports named, decimal, and hexadecimal formats — free online tool.

Last updated

HTML Entity Encoder / Decoder is a free, browser-based tool from UseToolSuite's Encoding & Decoding Tools collection. All processing happens locally on your device — your data is never uploaded to any server. Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.

Advertisement

What is HTML Entity Encoder / Decoder?

HTML Entity Encoder / Decoder is a free online tool that converts special characters to their corresponding HTML entities and vice versa. It supports multiple encoding modes: minimal (only HTML-special characters), named entities (using ©, —, etc.), decimal numeric references (©), and hexadecimal references (©). The Inspect Characters feature shows the Unicode code point, decimal, hex, and named entity for each character in your input.

When to use it?

Use the HTML Entity Encoder when you need to safely embed user-provided text into HTML pages to prevent rendering issues or XSS vulnerabilities. The different encoding modes let you choose between minimal encoding for readability or full encoding for maximum compatibility. The character inspector is useful for debugging encoding issues and understanding Unicode characters in your content.

Common use cases

Web developers use HTML Entity Encoder to sanitize user input for HTML templates, convert code snippets for display in blog posts, decode entity-encoded strings from APIs, prepare text for XML/RSS feeds, and debug double-encoded entities. Email template developers use the hex encoding mode to ensure special characters render correctly across all email clients.

Essential HTML entities every developer should know

The five most critical HTML entities prevent rendering and security issues: & for ampersands, < and > for angle brackets, " for double quotes in attributes, and ' for single quotes. Beyond these,   creates non-breaking spaces, — produces em dashes, and © renders the copyright symbol. Failing to encode user-generated content with proper entities is the root cause of XSS (Cross-Site Scripting) vulnerabilities.

Encode reserved characters, not every character

HTML reserves a small set of characters because they control markup. Everything else is just text:

CharacterEncode in…Named entity
<content&lt;
>content&gt;
&content & attributes&amp;
"double-quoted attributes&quot;
'single-quoted attributes&#39; / &apos;

If a character isn’t structurally significant in the spot you’re putting it, it doesn’t need encoding. That’s the whole rule — and it’s why an entity encoder is a precision tool, not something to blanket-apply to your text.

The XSS truth: encoding is context-specific

The single most important thing to understand is that HTML entity encoding only protects the HTML context — element content and attribute values. The browser decodes entities before handing text to other parsers, so entity-encoding does nothing in these places:

  • JavaScript context (onclick, inline <script>) — needs JS string escaping; entities are decoded then executed.
  • URL context (href, src) — needs percent-encoding, and javascript: URLs must be blocked entirely.
  • CSS context (inline style) — needs CSS escaping.

So “I HTML-encoded the input, am I safe from XSS?” — only if the input lands in an HTML context. Defense-in-depth means encoding for the specific context where the data is used, which is why frameworks ship context-aware escapers rather than one universal encode function.

Named, decimal, or hex — does it matter?

All three forms render identically — &amp;, &#38;, and &#x26; all produce &. Named entities are the most human-readable and are the right default for hand-written HTML. Numeric forms (decimal/hex) matter when a character has no named entity, or for maximum parser compatibility in older or non-HTML contexts (XML, for instance, only defines five named entities). Use named for readability; reach for numeric for the long tail of symbols.

The invisible-character gotcha

One decode result trips people constantly: &nbsp; decodes to a non-breaking space (U+00A0), which looks identical to a normal space but is a different character. It won’t match " " in comparisons and trim() won’t remove it — a frequent cause of “why does this string equality fail?” bugs. After decoding, if you need plain text, normalize U+00A0 to a regular space. The decoder here handles 2,000+ named entities, so you can paste encoded text and see exactly what it resolves to, invisible characters included.

How helpful was this tool?

Click to rate

Advertisement

Key Concepts

Essential terms and definitions related to HTML Entity Encoder / Decoder.

HTML Entity

A special sequence of characters that represents a reserved or special character in HTML. Entities start with & and end with ;. They can be named (&amp; for &), decimal (&#38;), or hexadecimal (&#x26;). Entities prevent special characters from being interpreted as HTML markup and enable the display of characters not easily typed on a keyboard.

Character Encoding

A system that maps characters to numeric values (code points) for digital storage and transmission. UTF-8 is the dominant encoding on the web, supporting all Unicode characters using 1-4 bytes per character. HTML entity encoding is a separate mechanism that works on top of character encoding to represent special HTML characters.

XSS (Cross-Site Scripting)

A web security vulnerability where an attacker injects malicious scripts into content viewed by other users. HTML entity encoding is one defense — converting < to &lt; prevents injected <script> tags from executing. However, proper XSS prevention requires context-aware output encoding across HTML, JavaScript, URL, and CSS contexts.

Frequently Asked Questions

What is the difference between named, decimal, and hexadecimal HTML entities?

Named entities use a readable name like &amp; for &. Decimal entities use a numeric code like &#38; and hexadecimal entities use a hex code like &#x26;. All three represent the same character but named entities are the most human-readable.

Which characters need to be encoded as HTML entities?

The five characters that must be encoded in HTML are: < (less than), > (greater than), & (ampersand), " (double quote), and ' (single quote/apostrophe). Encoding these prevents them from being interpreted as HTML markup or attribute delimiters.

Can I use this tool to sanitize user input for XSS prevention?

HTML entity encoding is one layer of XSS prevention, but it should not be your only defense. Proper input sanitization requires context-aware encoding (HTML, JavaScript, URL, CSS contexts) and should be handled by your web framework security library.

Does the decoder handle all HTML5 named entities?

The decoder supports all standard HTML5 named entities including common ones like &amp;, &lt;, &gt;, and &nbsp;, as well as less common ones like &euro;, &copy;, and mathematical symbols. Over 2,000 named entities are recognized.

Do I need to encode accented characters like é or emoji as entities?

No — not on a modern UTF-8 page, which is virtually every page today. Because UTF-8 can represent every Unicode character directly, you can write é, ñ, 中, or 😀 literally in your HTML and it displays correctly. The only characters you genuinely must encode are the reserved ones that have meaning in markup: < > & in content, plus " ' inside attribute values. Encoding accented letters into &eacute; was a workaround for legacy single-byte encodings; with `<meta charset="utf-8">` it's unnecessary noise. Encode the reserved five; leave the rest as readable UTF-8.

My framework already escapes output — should I encode again?

No, and doing so causes the classic double-encoding bug. Modern templating engines (React JSX, Vue, Handlebars, Jinja, Razor) auto-escape interpolated values by default, so if you ALSO run the value through an entity encoder you get &amp;amp; and &amp;lt; showing up literally on the page. Pick one layer: let the framework escape on output, and store/handle raw values everywhere else. Manual entity encoding is for cases where you're hand-writing static HTML or deliberately rendering raw markup — not on top of an auto-escaping template.

Troubleshooting & Technical Tips

Common errors developers encounter and how to resolve them.

XSS vulnerability: Script executes despite entity encoding

HTML entity encoding only provides protection in HTML contexts (element content and attribute values). In JavaScript contexts (onclick, onerror event handlers, or inside <script> tags), entity encoding does not prevent XSS because the browser first decodes entities, then executes JavaScript. The correct approach: apply context-aware encoding to user input — use HTML entities for HTML context, JS string escaping for JavaScript context, and percent-encoding for URL context. This tool provides quick encoding for HTML contexts.

Double encoding issue: &amp;amp; appearing in output

If you see double-encoded entities like &amp;amp; or &amp;lt; in your text, the encoding operation was applied again to an already-encoded string. For example, & → &amp; → &amp;amp; creates a chained conversion. This typically happens when a template engine's auto-escaping feature is used together with manual encoding. Solution: ensure data is encoded only once in the encoding pipeline. Use this tool to decode and determine how many encoding layers have been applied.

Non-breaking space (&nbsp;) not decoding or leaving invisible characters

The &nbsp; entity decodes to a non-breaking space character (U+00A0), not a regular space (U+0020). While these two characters look identical, they do not match in string comparisons and the trim() function does not remove U+00A0 characters produced by &nbsp;. This can cause unexpected behavior in database queries or form validation. Solution: after decoding, replace U+00A0 characters with regular spaces using str.replace(/\u00A0/g, " ").

Related Guides

In-depth articles covering the concepts behind HTML Entity Encoder / Decoder.

Advertisement

Related Tools