HTML Encoder/Decoder
Encode characters like <, >, & into HTML entities, or decode them back. Optional non-ASCII to numeric entities. Browser-based, nothing uploaded.
infoEntity Reference
shieldWhy Encode?
Encoding user input stops malicious scripts from executing in a browser.
Special characters in content must be encoded to produce valid, well-formed HTML documents.
Encoding ensures characters like angle brackets display as text rather than being parsed as tags.
lightbulbTip
Always encode user-generated content before inserting it into HTML. Server-side encoding is the primary defense against XSS, but client-side encoding adds an extra layer of safety.
What is the HTML Encoder/Decoder?
HTML entity encoding turns characters with special meaning in HTML (<, >, &, ", ') into their entity equivalents (<, >, &, and so on) so the browser displays them as text instead of parsing them as markup. It's the cornerstone defense against cross-site scripting (XSS) when rendering user-supplied content.
How to use the HTML Encoder/Decoder
- 1
Paste your text or HTML
Drop the source on the left to encode, or paste a string of HTML entities on the right to decode.
- 2
Optionally include non-ASCII
Toggle "Encode all non-ASCII characters" if you need every accented letter, emoji, or CJK character converted to a numeric entity. Useful for legacy systems.
- 3
Click Encode or Decode
The matching button runs the conversion. Output appears in the opposite pane.
- 4
Copy and use it
Tap the copy icon next to the field you want. Paste the encoded form anywhere user input goes into HTML, or paste decoded text into your editor.
Frequently Asked Questions
What characters are encoded?
The five HTML special characters by default: & becomes &, < becomes <, > becomes >, " becomes ", and ' becomes '. Toggle the non-ASCII option to also encode every character outside the basic ASCII range as a numeric entity.
Why do I need to encode HTML?
To stop user-supplied content from being parsed as HTML or JavaScript. If a comment field contains <script>alert(1)</script> and you render it raw, you've created an XSS hole. Encoding turns those angle brackets into < and >, so the browser shows the text without executing it.
Can it decode named HTML entities?
Yes. The decoder handles every named entity HTML defines (&, <, >, ", , and the long tail), plus numeric entities in both decimal (&) and hex (&) form. The work is delegated to the browser's own parser, so coverage matches what the browser itself recognizes.