HTML Encoder & Decoder
Encode or decode HTML entities. Convert special characters to their HTML entity equivalents.
Convert special characters to HTML entities for safe display in web pages, or decode HTML entities back to characters. Prevents XSS attacks and ensures proper rendering.
When user-supplied text is rendered inside an HTML page, characters like <, >, &, and quotes have to be escaped — otherwise the browser interprets them as markup, which at best breaks your layout and at worst lets an attacker inject a <script> tag and run arbitrary code in your users' browsers. HTML entity encoding replaces these dangerous characters with safe representations (< becomes <, > becomes >, & becomes &) that render as the original glyphs without being parsed as HTML.
This tool handles both directions. Encoding takes raw text and escapes every character that has special meaning in HTML, including the five core entities (&, <, >, ", ') and optionally every non-ASCII character (producing numeric entities like € for the euro sign). Decoding reverses the process, converting named entities (©, —, ) and numeric entities (both decimal   and hexadecimal  ) back to their original characters.
Common uses include safely displaying user-generated content, cleaning up text pasted from a rendered web page, debugging why a page shows literal "&amp;" (double encoding), preparing email template content, and inspecting the raw HTML of server responses where the browser's DevTools already decoded the entities.
- 1
Choose encode or decode
Switch modes based on what you're doing. Encode turns <, >, &, and other characters into HTML entities. Decode converts entities back to their original form.
- 2
Paste your text
Drop in raw text (for encoding) or HTML with entities (for decoding). Any length works, from a single character to an entire document.
- 3
Copy the result
The converted output appears instantly. One click copies it to your clipboard, ready to paste into your template, database, or script.
Preventing XSS
Escape user-submitted content before rendering it inside HTML so a crafted payload like <script>alert(1)</script> appears as literal text instead of executing.
Displaying code in blog posts
Encode HTML or XML snippets so you can paste them into a CMS and have the tags show up as text instead of being rendered.
Decoding scraped content
Clean up text extracted from HTML pages where &amp; and &nbsp; entities need to be decoded back to their original characters.
Email template preparation
Encode user names and subject lines with special characters to prevent them from breaking HTML email layouts in Gmail, Outlook, and Apple Mail.
Is my text sent to a server?
No. Encoding and decoding run entirely in your browser. Nothing is uploaded or logged, which matters when you're escaping user data that may contain secrets.
Which characters get escaped when encoding?
The five HTML-reserved characters — ampersand, less-than, greater-than, double quote, and apostrophe — are always escaped. You can optionally escape every non-ASCII character as a numeric entity for maximum safety in older systems.
Does it handle named and numeric entities?
Yes. The decoder recognizes named entities (©, , —) plus decimal (—) and hexadecimal (—) numeric forms. Unrecognized entities are left as-is rather than silently stripped.
Is this enough to prevent XSS on its own?
It's necessary but not sufficient. HTML encoding protects against text-content injection. For attribute values, you need attribute-context escaping; for JavaScript strings, JS-context escaping; for URLs, URL encoding. Use a framework's auto-escaping (React, Vue, Rails) in production — this tool is for debugging and one-off conversions.
What about double-encoding?
Encoding already-encoded text produces things like &amp;lt; — a common bug when content passes through multiple templating layers. Decode once, verify, then encode once if needed.