Free tool No sign-up
HTML Entity Encoder / Decoder
Encode or decode HTML entities — escape <, >, &, quotes, and special characters with named, decimal, or hex output.
htmlentityencoderdecoderescape
Why encode HTML entities?
Prevent XSS attacks
Encoding user-supplied text before injecting it into HTML is the single most important defence against cross-site scripting. The browser treats <script> as a literal string instead of executing it.
Valid markup, every time
Stray ampersands, unescaped angle brackets, and unmatched quotes silently break HTML parsers. Encoding the five core characters guarantees the document validates and renders as intended.
Reliable special characters
Symbols like © ® ™ €, em-dashes, and smart quotes can mis-encode across legacy systems. Numeric entities (&#169;) survive any charset misconfiguration.
Email & RSS compatibility
Email clients and RSS readers vary wildly in their HTML support. Entity-encoded output is the safest lowest-common-denominator for newsletters, feeds, and embeds.
How to use this encoder
01
Paste your text
Drop in raw HTML, plain text with special characters, or already-encoded markup. The tool detects what you need based on the direction toggle.
02
Choose Encode or Decode
Encode turns < > & " ' and friends into safe entities. Decode reverses any &name;, &#dec;, or &#xhex; reference back to the original character.
03
Pick an encoding mode
HTML-unsafe only (just the five core chars), Named entities (&copy;, &mdash;), Numeric decimal (&#169;), or Numeric hex (&#xA9;). Each survives different downstream systems.
04
Copy or swap
Click Copy to grab the result, or ⇅ Swap to round-trip the output back into the input — handy for verifying that a decode reverses your encode exactly.
Common entity reference
| Char | Named | Numeric | Note |
|---|---|---|---|
< | < | < | Open tag |
> | > | > | Close tag |
& | & | & | Always encode first |
" | " | " | Inside attributes |
' | ' | ' | No named entity in HTML4 |
© | © | © | Copyright |
® | ® | ® | Registered |
™ | ™ | ™ | Trademark |
— | — | — | Em-dash |
– | – | – | En-dash |
… | … | … | Ellipsis |
| |   | Non-breaking space |
Encoding patterns
XSS
<!-- ❌ Dangerous: untrusted input -->
<div>Hello, ${name}</div>
<!-- if name = "<script>alert(1)</script>" the script runs -->
<!-- ✅ Safe: encode first -->
<div>Hello, <script>alert(1)</script></div> Attributes
<!-- Quotes in attributes --> <a href="/search?q=cats & dogs" title="Click "here"">Go</a>
Symbols
<!-- Symbols via numeric entities --> <p>© 2025 · ® Brand — All rights reserved.</p> <p>© 2025 · — same thing, numeric form</p>
Pro tips
01
Encode & first
Always replace & before the others — otherwise < becomes &lt;. Real encoders handle this automatically; if you ever roll your own, do & first.
02
Attributes need extra care
Double-quoted attribute values must escape ", single-quoted must escape '. Many XSS attacks rely on closing the attribute prematurely — encode both forms when in doubt.
03
Don't double-encode
If your framework already encodes output (React, Vue, Astro all do), passing entity-encoded text in shows literal &amp; in the DOM. Encode at the boundary, not at every layer.
04
Numeric entities are universal
Named entities depend on the doctype. Numeric decimal or hex (&#169; / &#xA9;) work in HTML, XHTML, XML, and SVG without exception — preferred for portable content.