What is HTML Entity Encoder/Decoder?

An HTML entity encoder/decoder converts special characters like <, >, &, and quotes to their HTML entity equivalents (and back). This prevents XSS vulnerabilities when embedding user content in HTML and fixes display issues with special characters.

The encoder turns characters like <, >, &, ", ' and any Unicode codepoint into named entities (&amp;, &lt;), decimal numeric refs (&#38;), or hex numeric refs (&#x26;). A scope toggle lets you encode only the five reserved characters, all special punctuation, or every non-ASCII character. Decoding reverses any of the three formats. Handy when sanitising user input for HTML output, or recovering text from HTML email exports.

How to use

1. Step 1 — Paste text containing special characters or HTML entities.
2. Step 2 — Choose Encode to convert characters to entities, or Decode to convert entities back to characters.
3. Step 3 — Pick a format (Named, Decimal, or Hex) and a scope to control how aggressively text gets encoded.

When to use

• Pasting code samples into a CMS that interprets < and > as tags instead of text.
• Cleaning up HTML email or scraped content that arrived with &mdash; and &nbsp; intact.
• Escaping user-supplied text before injecting it into a server-rendered template to block XSS.

Result

You need to display the code snippet <div class="hero"> inside an HTML paragraph. Encode it to &lt;div class=&quot;hero&quot;&gt; so the browser renders the text instead of interpreting it as markup.

FAQ

What is the difference between named and numeric HTML entities?

Named entities use readable shortcuts (&copy; for ©). Numeric entities use the Unicode codepoint (&#169; or &#xA9;). Numeric works for every Unicode character; named only covers about 250 characters defined in the HTML5 spec.

Do I need to encode every special character, or only some?

In HTML body text you only have to encode & < > and the quote you used for attribute values. Inside JavaScript or URL contexts the rules change. The Scope selector lets you pick: Reserved only for the five XSS-critical characters, All special for typography plus reserved, or All non-ASCII for the most aggressive coverage.

Will encoding break copy-paste or screen readers?

No. Browsers decode entities before painting text, so users see and copy the original character. Screen readers also receive the decoded form. Entities are a transport format for the markup, not for the reader.

Is HTML entity encoding enough to stop cross-site scripting?

For content placed in HTML body text, yes. For attributes you also need to quote the value and encode the quote character. JavaScript context, CSS context, and URL context each need their own escape rules — encoding is layer one, not the whole story.

Why do some entities use &#x and others &#?

&#x prefixes a hexadecimal codepoint, &# prefixes decimal. Both refer to the same character (e.g. &#xA9; and &#169; both print ©). Hex is shorter for high codepoints and matches the U+ notation used in Unicode tables.

Related Tools