Encode special characters to HTML entities and decode HTML entities back to plain text. Supports named, decimal, and hexadecimal formats — free online tool.
HTML Entity Encoder / Decoder is a free, browser-based tool
from UseToolSuite's
Encoding & Decoding Tools collection.
All processing happens locally on your device — your data is never uploaded to any server.
Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.
What is HTML Entity Encoder / Decoder?
HTML Entity Encoder / Decoder is a free online tool that converts
special characters to their corresponding HTML entities and vice versa.
It supports multiple encoding modes: minimal (only HTML-special characters),
named entities (using ©, —, etc.), decimal numeric
references (©), and hexadecimal references (©). The
Inspect Characters feature shows the Unicode code point, decimal, hex,
and named entity for each character in your input.
When to use it?
Use the HTML Entity Encoder when you need to safely embed user-provided
text into HTML pages to prevent rendering issues or XSS vulnerabilities.
The different encoding modes let you choose between minimal encoding for
readability or full encoding for maximum compatibility. The character
inspector is useful for debugging encoding issues and understanding
Unicode characters in your content.
Common use cases
Web developers use HTML Entity Encoder to sanitize user input for HTML
templates, convert code snippets for display in blog posts, decode
entity-encoded strings from APIs, prepare text for XML/RSS feeds, and
debug double-encoded entities. Email template developers use the hex
encoding mode to ensure special characters render correctly across
all email clients.
Essential HTML entities every developer should know
The five most critical HTML entities prevent rendering and security issues: & for ampersands, < and > for angle brackets, " for double quotes in attributes, and ' for single quotes. Beyond these, creates non-breaking spaces, — produces em dashes, and © renders the copyright symbol. Failing to encode user-generated content with proper entities is the root cause of XSS (Cross-Site Scripting) vulnerabilities.
Encode reserved characters, not every character
HTML reserves a small set of characters because they control markup. Everything else is just text:
| Character | Encode in… | Named entity |
|---|
< | content | < |
> | content | > |
& | content & attributes | & |
" | double-quoted attributes | " |
' | single-quoted attributes | ' / ' |
If a character isn’t structurally significant in the spot you’re putting it, it doesn’t need encoding. That’s the whole rule — and it’s why an entity encoder is a precision tool, not something to blanket-apply to your text.
The XSS truth: encoding is context-specific
The single most important thing to understand is that HTML entity encoding only protects the HTML context — element content and attribute values. The browser decodes entities before handing text to other parsers, so entity-encoding does nothing in these places:
- JavaScript context (
onclick, inline <script>) — needs JS string escaping; entities are decoded then executed.
- URL context (
href, src) — needs percent-encoding, and javascript: URLs must be blocked entirely.
- CSS context (inline
style) — needs CSS escaping.
So “I HTML-encoded the input, am I safe from XSS?” — only if the input lands in an HTML context. Defense-in-depth means encoding for the specific context where the data is used, which is why frameworks ship context-aware escapers rather than one universal encode function.
Named, decimal, or hex — does it matter?
All three forms render identically — &, &, and & all produce &. Named entities are the most human-readable and are the right default for hand-written HTML. Numeric forms (decimal/hex) matter when a character has no named entity, or for maximum parser compatibility in older or non-HTML contexts (XML, for instance, only defines five named entities). Use named for readability; reach for numeric for the long tail of symbols.
The invisible-character gotcha
One decode result trips people constantly: decodes to a non-breaking space (U+00A0), which looks identical to a normal space but is a different character. It won’t match " " in comparisons and trim() won’t remove it — a frequent cause of “why does this string equality fail?” bugs. After decoding, if you need plain text, normalize U+00A0 to a regular space. The decoder here handles 2,000+ named entities, so you can paste encoded text and see exactly what it resolves to, invisible characters included.
How helpful was this tool?
Click to rate
Awesome! Glad it helped.
We don't have a marketing budget. The best way to support this free tool is by sharing it with other developers!
Help us improve!
Sorry it didn't meet your expectations. We're always looking to make these tools better. What was missing or broken?
Open GitHub Issue