Web

Overview

HTML Entity Encoder / Decoder

Encode special characters to HTML entities or decode entities back to plain text, with a quick-reference table.

What is How to use Example Common use cases Frequently asked questions

Category hub

Web

Problems

FAQ

Quick links

Browse hub

#html-entities #html-encode #html-decode #special-characters #xss-prevention

HTML Entity Encoder / Decoder

Encode special characters to HTML entities or decode entities back to readable text. Runs entirely in your browser.

Plain Text / HTML

Paste HTML here

Encoded Entities

Output

Result appears here

Quick Reference — Common HTML Entities

©©

®®

™™

€€

——

What you can solve

How do I display HTML code as text on a webpage?

Encode the HTML code with this tool, then wrap the output in a <pre> or <code> element. The < and > entities will render as visible angle brackets instead of being interpreted as tags by the browser.

Does encoding HTML entities prevent XSS?

Encoding user input before inserting it into HTML is one of the primary defenses against reflected and stored XSS. By converting < to < and > to >, any injected script tags become inert text. However, context matters — encoding for HTML is different from encoding for JavaScript strings or URL parameters.

Why does & in a URL break HTML validation?

HTML parsers treat & as the start of an entity reference. An unencoded & in an href attribute like href="a?x=1&y=2" is technically invalid HTML. Encode it as href="a?x=1&y=2" to make the markup valid. Modern browsers handle both, but validators and strict parsers require encoding.

How do I read HTML entity-encoded content from an email or API response?

Switch to Decode mode and paste the encoded string. The tool uses the browser's native HTML parser to resolve all entities — named, decimal, and hexadecimal — back to their original characters. This is faster and more accurate than manual entity lookup.

How do I add a non-breaking space in HTML?

Use the   entity (non-breaking space). It prevents the browser from wrapping text at that position and is invisible in the page but counts as a space character. Copy it directly from the Quick Reference table in this tool.

Typical workflow

URL Decoder Base64 Encoder / DecoderHTML Entity Encoder / DecoderURL Decoder JSON Escape and Unescape Tool

Guides for this workflow

Supporting guides that connect this tool to the broader category workflow.

Open category hub

Web guide

400 vs 401 vs 403 vs 422: A Practical API Error Triage Workflow

A concrete debugging workflow for separating malformed requests, authentication failures, permission issues, and validation errors before your team fixes the wrong thing.

Web guide

Why Access-Control-Allow-Origin Star Fails with Credentials

A practical browser-first guide to diagnosing the most common credentialed CORS mistake: returning wildcard Allow-Origin while the frontend sends cookies or auth-bound credentials.

Web guide

encodeURI vs encodeURIComponent for redirect_uri and Query Params

A practical guide to choosing the right encoding boundary for redirect_uri, nested URLs, and query parameter values before a small encoding mistake turns into a redirect bug.

Web guide

How to Read User-Agent Strings Without Overthinking Every Token

A practical guide to extracting the few user-agent signals that actually change debugging decisions, including browser family, OS, device type, and likely bot markers.

What is

What is HTML Entity Encoder / Decoder?

The HTML Entity Encoder/Decoder converts special characters into their HTML entity equivalents (encoding) or reverses the process (decoding). Encoding is essential for safely displaying user-generated content in HTML, preventing XSS attacks, and embedding special characters in HTML attributes. Decoding is useful when you receive escaped HTML and need to read or process the raw text.

The tool includes a quick-reference table of the most commonly needed entities — <, >, &, ", ©,  , and more — so you don't have to memorize them. Switch between encode and decode modes with one click, or use "Swap & Flip" to chain the output back into the input for round-trip testing.

How to use

How to use HTML Entity Encoder / Decoder

1. Choose "Encode" or "Decode" mode from the toggle.

2. Paste your text into the left panel. The result appears in the right panel immediately.

3. Click "Swap & Flip" to send the result back to the input and switch modes — useful for round-trip verification.

4. Click "Copy Result" to copy the output.

5. Click "Load Example" to prefill a sample appropriate for the current mode.

6. Use the Quick Reference table at the bottom to look up common entities.

Example

Encode mode input:
<div class="greeting">Hello "World" & <Friends></div>

Encoded output:
&lt;div class=&quot;greeting&quot;&gt;Hello &quot;World&quot; &amp; &lt;Friends&gt;&lt;/div&gt;

Decode mode — paste the encoded version back to recover the original HTML.

Common use cases

1. XSS prevention: Encode user input before inserting it into HTML to prevent injection attacks.

2. HTML template authoring: Encode special characters in CMS content or email templates that don't support raw HTML.

3. API response inspection: Decode entity-encoded strings in API responses or XML feeds to read the actual content.

4. Email HTML: Encode special characters that mail clients may misinterpret as HTML tags.

5. Documentation writing: Encode code snippets containing angle brackets for display in HTML documentation.

Frequently asked questions

What characters get encoded?v

The encoder converts the six most dangerous characters for XSS and HTML injection: < (<), > (>), & (&), " ("), ' ('), and / (/). These cover the primary attack vectors for injecting HTML or JavaScript.

Is this the same as URL encoding?v

No. HTML entity encoding is specific to HTML documents and replaces characters with &name; or &#number; sequences. URL encoding (percent-encoding) is for URL components and replaces characters with %XX sequences. Use the URL Encode tool for URL contexts.

The decode mode handles all standard HTML named entities including ©, ®, ™,  , —, and all numeric entities. The encode mode focuses on the characters that pose security risks.

Can I use this for XML entity encoding too?v

The characters encoded (< > & ") are valid XML entities as well, since XML is a superset of these escape rules. However, XML does not support named entities like © — use numeric entities (©) for those in XML.