HTML Entity Encoder / Decoder
A free HTML encoder and HTML decoder for converting HTML entities online. Switch between named, numeric decimal, and hex HTML character entities, encode html online to escape XSS-critical characters for safe rendering, and decode entities back to plain text. Private, instant, and no signup.
Encoder built for developers
Three entity styles, full Unicode support.
3 encoding styles
Named (&), decimal (&), or hex (&).
Encode and decode
One-click switch between encoding and decoding.
XSS-critical chars
Always encodes <, >, &, ", and ' for safe HTML.
Full Unicode option
Toggle to encode every non-ASCII character.
100% private
Text never leaves your browser.
Live preview
Output updates as you type.
Who uses the HTML Encoder?
Anyone working with HTML safely.
For developers
Escape user input to prevent XSS attacks before rendering in HTML.
For technical writers
Show HTML code samples in articles without browser interpreting them as markup.
For security testers
Decode obfuscated payloads to understand attack patterns.
For email marketers
Encode special characters in HTML email templates safely.
For CMS users
Paste code into rich-text editors without HTML interpretation.
For QA testers
Test how applications handle encoded vs decoded input.
About HTML entity encoding
Why it exists and how to use it correctly.
What HTML entities are
HTML entities are text codes that represent characters with special meaning in HTML. The less-than sign (<) starts a tag. Without encoding, "if x < 5" in your text would be parsed as the start of an unfinished tag. Entities like < render as < without confusing the parser. They are essential for displaying code, comments, and any text that may contain markup characters. This HTML encoder and decoder converts text to entities and back, so a single tool covers both directions.
What is an HTML encoder
An HTML encoder is a tool that takes ordinary text and replaces every character that the browser would otherwise treat as markup with a safe entity. It is the practical answer to a recurring problem: text meant to be displayed keeps getting interpreted as code. Whether you are showing a code snippet in an article, storing user comments, or pasting content into a template, an HTML encoder guarantees the text appears exactly as written. This tool pairs encoding with an HTML decoder, so the same page handles both turning text into entities and turning entities back into text.
How to encode HTML online
To encode HTML online, keep the tool in Encode mode and paste your text. The entity output updates live as you type, ready to copy into a template or content management system. By default the encoder escapes the characters that matter for safe rendering, and you can pick named, decimal, or hex output. This is the quickest way to convert HTML entities without writing any code.
How to use the HTML decoder online
To decode entities, switch the tool to Decode mode and paste your encoded markup. The HTML decoder online turns < back into <, & back into &, and ' back into an apostrophe. It handles named entities, numeric decimal entities, and hexadecimal entities in the same pass. This is useful for cleaning up scraped pages, reading exported content, or checking what an encoded string actually contains.
The five XSS-critical characters
Five characters absolutely must be encoded when displaying untrusted content: <, >, &, ", and '. These five enable cross-site scripting (XSS) attacks if displayed raw. The phrase <script>alert(1)</script> in unencoded user input runs as code. Encoding turns it into harmless visible text. Always encode user-generated content before injecting into HTML.
Named vs numeric entities
Named entities use friendly names: & for &, © for ©. Numeric entities use code points: & (decimal) or & (hex) for &. Both produce the same character. Named entities are more readable, but only a fixed set exists. Numeric entities cover every Unicode character, useful for emoji or unusual symbols.
HTML character entities explained
HTML character entities are the broader family that named and numeric entities both belong to. Every entity starts with an ampersand and ends with a semicolon, and the part in between is either a recognized name or a numeric code. A numeric entity code can be written in decimal, like ©, or in hexadecimal, like ©, and both point to the same Unicode code point. The semicolon at the end is not optional in well-formed markup, since leaving it off can cause the browser to misread the entity or swallow the character that follows. Once you see entities as code-point references rather than magic strings, picking the right one for any symbol becomes straightforward.
Common HTML entities list
A short HTML entities list covers most everyday needs. Ampersand & is & (decimal &, hex &). Less-than < is < (<), greater-than > is > (>). Double quote is " (") and apostrophe is '. A non-breaking space is ( ), the copyright symbol is © (©), the registered mark is ® (®), and the trademark sign is ™ (™). Switch the output style in the tool to see the named, decimal, or hex form of any character you paste.
The HTML entity for the trademark symbol
The trademark sign is one of the most searched single entities, so it is worth calling out on its own. The trademark symbol ™ is written as the named entity ™, the decimal entity ™, or the hex entity ™, and all three render identically. The related copyright symbol © is © (©) and the registered trademark ® is ® (®). If you only need one of these once, paste the character into the encoder and read off whichever form your project expects. If a document already shows ™ as literal text, run it through the decoder to restore the real symbol.
HTML Unicode, charset, and character sets
Modern HTML documents are served as UTF-8, declared with a meta charset tag in the document head such as <meta charset="utf-8">. The charset tells the browser how to turn the file's bytes back into characters, and getting it wrong is the usual cause of garbled accented letters. With UTF-8 you can write most characters directly without entities, but numeric entities still help when a character is hard to type or might be mangled by an editor. Any HTML Unicode character can be written as a numeric entity using its code point, for example 😀 for an emoji. This makes numeric entities a dependable fallback regardless of the document character set.
Encoding HTML in JavaScript and PHP
To encode HTML in JavaScript, the common pattern is replacing &, <, >, and quotes with their entities, or setting an element textContent and reading back its innerHTML so the browser escapes the value. In PHP, the htmlentities() and htmlspecialchars() functions handle escaping, with html_entity_decode() reversing it. This online tool is a fast way to verify what your code produces or to escape a snippet without running an interpreter.
HTML entities in PHP and Python
Most server-side languages ship entity helpers, and it helps to know which one to reach for. In PHP, htmlspecialchars() escapes only the XSS-critical characters and is the right default for output, while htmlentities() additionally converts every character that has a named entity. In Python, the html module provides html.escape() for encoding and html.unescape() for decoding, with html.escape() handling the same critical characters by default. When framework template output and this tool differ, the cause is usually the quote handling flag or whether non-ASCII characters were escaped, and pasting the same input here makes the difference obvious.
HTML encoding vs URL encoding
HTML encoding makes text safe for display in HTML. URL encoding makes text safe for transmission in URLs. They use different syntaxes (& vs %26). Pick HTML encoding for display contexts (rendering in a browser). Pick URL encoding for network contexts (passing data in a query string). Encoding the wrong way breaks both.
Why use an online HTML entities converter
An online HTML entities converter removes the guesswork from escaping by hand. Instead of memorizing entity codes or risking a typo that silently breaks a page, you paste the text and copy a correct result. It is equally useful in reverse: paste exported or scraped markup full of & and < sequences and the HTML decoder restores readable text. Because every conversion in this tool runs locally in your browser, you can encode html online and decode it back without uploading content, which keeps internal code samples and user data private.
How to encode and decode HTML
Three steps.
Pick mode
Encode or decode.
Choose style
Named, decimal, or hex entities.
Paste text
Plain text or encoded HTML.
Copy result
Output appears live.
Frequently asked questions
If you don't find your question here, ask us directly.
HTML entity encoding converts special characters that have meaning in HTML markup into safe text representations. The less-than sign < becomes <, ampersand & becomes &, quotes become " and '. Encoding prevents your text from being interpreted as HTML tags, which is essential for displaying user-generated content safely.
Whenever you display user input or untrusted content on a web page. Without encoding, a comment containing a malicious script tag would execute as code in the visitor browser. Encoding turns it into harmless visible text. Also use encoding in email subject lines, code samples shown in HTML, and any context where literal symbols need to display as themselves.
Named entities use friendly names like & for &, < for <, © for ©. Numeric entities use code points like & or & for &. Both produce the same output. Named entities are more readable. Numeric entities cover every Unicode character. Our tool offers both modes.
Yes, switch to "Decode" mode. The tool will convert < back to <, & back to &, and so on. Decoding handles named entities (©, ), numeric decimal (&), and hexadecimal (&) entities. Useful for cleaning up scraped HTML content.
By default, the tool encodes the five XSS-critical characters: <, >, &, ", and '. Toggle "Encode all non-ASCII" to also encode every character outside the ASCII range (accented Latin, CJK, emoji, etc.). The default mode is safer for most use cases. Full encoding produces larger output.
Encoded HTML entities only render as their intended characters when displayed inside HTML. In plain text, "&" looks like the literal string "&", not "&". Use encoding only for HTML contexts, not for plain text emails or CSV files.
Yes. The HTML encoder runs entirely in your browser. Your text is never uploaded or logged. Encoding and decoding use native JavaScript string methods. Use this tool confidently with sensitive content.
HTML entity encoding makes characters safe for HTML markup (browser display). URL encoding makes characters safe for URLs (network transmission). Both encode special characters, but use different syntaxes. HTML uses & and &. URLs use %26. Pick the right encoder for your context.
An HTML encoder is a tool that converts ordinary text into safe HTML entities so the browser displays it as written instead of interpreting it as markup. It is the practical fix for text that keeps being parsed as code, such as code snippets in articles or user comments. This tool pairs an HTML encoder with an HTML decoder, so a single page handles both directions.
HTML character entities are coded references to characters, written starting with an ampersand and ending with a semicolon. The part in between is either a recognized name like © or a numeric code like © or ©, and both numeric forms point to the same Unicode code point. The closing semicolon is required in well-formed markup, since leaving it off can cause the browser to misread the entity.
The trademark symbol can be written as the named entity ™, the decimal entity ™, or the hex entity ™, and all three render identically. The copyright symbol is © (©) and the registered trademark is ® (®). Paste the character into the encoder to see whichever form your project needs.
In JavaScript, a common approach is setting an element textContent and reading back its innerHTML, or replacing &, <, >, and quotes with their entities. In PHP, use htmlspecialchars() to escape the XSS-critical characters or htmlentities() to convert every named-entity character. Python offers html.escape() and html.unescape(). This tool is a quick way to verify what your code produces.
The charset meta tag, usually <meta charset="utf-8">, tells the browser how to turn the file bytes back into characters. Getting it wrong is the most common cause of garbled accented letters and symbols. With UTF-8 declared you can write most characters directly, while numeric entities remain a reliable fallback for characters that are hard to type.
Yes. This HTML entities converter is completely free, requires no signup, and has no usage limits. Every encode and decode runs locally in your browser, so code samples and user content are never uploaded. You can use it as often as you need for both encoding and decoding.
Related tools
Try our other free tools
Word counter, character counter, case converter, and 47 more.