HTML Entity Encoder / Decoder

Q: Which characters must be encoded in HTML?

At minimum encode & (ampersand), (greater-than), and the quote character used for attribute values. Encoding both quotes and the slash adds extra safety.

Q: What is the difference between named and numeric entities?

Named entities like & are easier to read. Numeric entities like & reference any Unicode code point, including characters without a named entity.

Q: Does HTML encoding prevent XSS?

Yes, for the HTML context. Other contexts like JavaScript, URLs, and CSS need different escaping — HTML encoding alone is not a complete XSS defense.

Q: How do I encode non-breaking spaces and special symbols?

Use (non-breaking space), © (©), ® (®), ™ (™), — (—), – (–), € (€), £ (£), ¥ (¥).

Q: Does this HTML encoder work offline?

Yes. Everything runs in your browser — nothing is sent to a server. You can disconnect from the internet and keep using it.

Q: What's the difference between HTML encoding and URL encoding?

HTML encoding protects characters inside HTML markup. URL encoding protects characters inside URLs (space becomes %20). They are different contexts and sometimes both are needed.

Free online HTML entity encoder and decoder. Convert <, >, &, quotes and special characters to safe HTML entities (and back) instantly. Built-in reference table for 20+ common entities. Runs entirely in your browser.

Plain Text

Encoded HTML Entities

HTML Entity Reference

Character	Entity Name	Entity Number	Description

How to Use the HTML Entity Encoder

Paste raw text or HTML into the Plain Text panel to encode it — the tool converts <, >, &, quotes, and slashes to HTML entities in real time.
Paste already-encoded HTML into the Encoded HTML Entities panel to decode it back into plain text.
Click Encode → or ← Decode to run a conversion manually, or use the copy buttons to grab the result.

What Are HTML Entities?

HTML entities are escape codes that represent reserved or special characters in HTML. Characters like <, >, and & have structural meaning — they open tags, close tags, and start entity references — so they must be escaped when you want them to render as visible text.

Every entity has two forms:

Named: &, <, © — readable but limited to a fixed set of names.
Numeric: & (decimal) or & (hex) — works for any Unicode code point.

The Five Characters You Must Always Encode

Char	Named	Numeric	Why
&	&	&	Starts every entity reference
<	<	<	Opens HTML tags
>	>	>	Closes HTML tags
"	"	"	Closes attributes quoted with "
'	'	'	Closes attributes quoted with '

When to Encode HTML

User-generated content. Always encode before inserting into HTML to prevent XSS (cross-site scripting). This is the most common and most dangerous HTML injection vector.
Code blocks and documentation. When showing HTML inside a <pre> or <code> tag, the markup itself needs to be encoded so the browser renders it as literal text instead of real tags.
Email newsletters. HTML emails often need encoded entities for characters like ©, ®, ™, and curly quotes.
JSON embedded in HTML. If you ship a JSON blob inside a <script> tag, escape </ to avoid breaking out of the script context.

HTML Encoding and XSS Prevention

HTML encoding is the first line of defense against cross-site scripting (XSS). If you render user input directly into HTML without encoding, an attacker can inject a <script> tag that runs on every visitor's browser — stealing cookies, session tokens, or rewriting the page. Encoding converts <script> into <script>, which renders harmlessly as text.

Real-world apps almost always delegate encoding to their framework:

React / Vue / Svelte — automatic when you use {variable} or {{variable}} syntax.
Handlebars / Mustache — {{variable}} is escaped; {{{variable}}} is raw (dangerous).
Server-side templates — most (Jinja2, Liquid, ERB) auto-escape by default but can be disabled per tag.

Use this tool when you need to encode a literal string by hand or debug a template that isn't auto-escaping.

Named vs Numeric Entities

Named entities (©) are easier to read in source code. Numeric entities (©) work for every Unicode code point — including emoji and non-Latin characters that have no named form. Both render identically in the browser; use whichever is more convenient.

Related Developer Tools

Need to encode URLs or Base64 instead? Try the URL encoder and Base64 encoder. For shrinking stylesheets, use the CSS minifier.

Frequently Asked Questions

Which characters must be encoded in HTML?

At minimum, encode & (ampersand), < (less-than), > (greater-than), and the quote character used for your attribute values (" or '). Encoding both quote types and the forward slash adds extra safety for any context.

What is the difference between named and numeric entities?

Named entities like & are easier to read in source. Numeric entities like & (decimal) or & (hex) reference any Unicode code point, including characters that have no named entity (emoji, CJK characters, math symbols).

Does HTML encoding prevent XSS?

Yes, for the HTML context. Encoding <, >, &, and quotes prevents an attacker from injecting <script> tags or breaking out of attribute values. Note that other contexts (JavaScript strings, URLs, CSS) require different escaping — HTML encoding alone is not a complete XSS defense.

How do I encode non-breaking spaces and special symbols?

Use the reference table on this page. Common ones:   (non-breaking space), © (©), ® (®), ™ (™), — (—), – (–), € (€), £ (£), ¥ (¥).

Does this HTML encoder work offline?

Yes. All encoding and decoding happens in your browser — nothing is sent to a server. You can disconnect from the internet and keep using the tool.

What's the difference between HTML encoding and URL encoding?

They are different contexts. HTML encoding protects characters inside HTML markup (< becomes <). URL encoding protects characters inside URLs (a space becomes %20). You sometimes need to apply both — for example, an HTML attribute containing a URL with a space.

RELATED TOOLS

URL ENCODER BASE64 CSS MINIFIER