HTML Entities Encoder/Decoder
Free online HTML entities encoder and decoder tool. Convert special characters to HTML entities (<, >, &, ") or decode entities back to text. Supports named, numeric, and hexadecimal entities. Perfect for web developers, preventing XSS attacks, and displaying HTML code safely.
HTML Entities Encoder/Decoder - Convert HTML Special Characters
A comprehensive online HTML entities encoder and decoder tool for converting special characters to HTML entities and vice versa. Supports named entities (&, <, >), numeric entities (&, <), and hexadecimal entities (&, <). Essential for web developers to prevent XSS attacks, display HTML code safely, and handle special characters in web applications.
What are HTML entities?
HTML entities are special codes used to display reserved or special characters in HTML. They start with & and end with ; to distinguish them from regular text.
Why HTML entities exist:
- Some characters have special meaning in HTML (<, >, &, ")
- These characters would be interpreted as HTML code, not displayed as text
- Entities allow you to display these characters safely
- Enable display of characters not available on keyboards
- Support international characters and symbols
Three types of HTML entities:
1. Named Entities (most common):
< → <
> → >
& → &
" → "
' or ' → '
→ non-breaking space
© → ©
® → ®
2. Numeric Entities (decimal):
< → <
> → >
& → &
© → ©
3. Hexadecimal Entities:
< → <
> → >
& → &
© → ©
All three formats work the same way - they tell the browser to display the character, not interpret it as code.
How do I encode text to HTML entities?
Encoding text to HTML entities is simple:
1. Select the 'Encode' mode (default)
2. Enter or paste your text in the input field
3. Choose your encoding type:
- Named: Uses readable names like < and & (recommended)
- Numeric: Uses decimal codes like < and &
- Hexadecimal: Uses hex codes like < and &
4. Optionally check 'Encode all special characters' to encode more than just <>&"'
5. Click the 'Encode' button
6. Your HTML-entity-encoded text appears in the output
Example 1 - Basic encoding (named entities):
Input: "<div>Hello & goodbye</div>"
Output: "<div>Hello & goodbye</div>"
Example 2 - Numeric entities:
Input: "<p>Price: $100 & up</p>"
Output: "<p>Price: $100 & up</p>"
Example 3 - With 'encode all' option:
Input: "© 2024 Company™"
Output (named): "© 2024 Company™"
Output (numeric): "© 2024 Company™"
The encoded text can be safely displayed in HTML without being interpreted as code.
How do I decode HTML entities?
Decoding HTML entities back to normal text is straightforward:
1. Select the 'Decode' mode
2. Paste your HTML with entities in the input field
3. Click the 'Decode' button
4. The decoded, human-readable text appears in the output
Example 1 - Named entities:
Input: "<div>Hello & goodbye</div>"
Output: "<div>Hello & goodbye</div>"
Example 2 - Numeric entities:
Input: "<p>Price: $100 & up</p>"
Output: "<p>Price: $100 & up</p>"
Example 3 - Hex entities:
Input: "<span>Test</span>"
Output: "<span>Test</span>"
Example 4 - Mixed entities:
Input: "© 2024 – All rights reserved ™"
Output: "© 2024 – All rights reserved ™"
The tool automatically:
- Recognizes all three entity types (named, numeric, hex)
- Decodes them correctly to original characters
- Handles nested or mixed entity formats
- Counts how many entities were found
- Preserves non-entity text unchanged
When should I use HTML entities?
HTML entities are essential in several situations:
1. Displaying HTML Code:
- Tutorial websites showing HTML examples
- Code documentation
- Syntax highlighters
- Blog posts about web development
Example: Show "<div>" as <div> so it displays as text
2. Preventing XSS Attacks:
- User-generated content (comments, posts)
- Form submissions displayed on pages
- Sanitizing user input
- Database content displayed in HTML
Example: Convert <script> to <script> to prevent execution
3. Special Character Display:
- Copyright symbols: ©
- Trademark: ™
- Registered: ®
- Currency: € £ ¥
- Math symbols: × ÷ ±
4. Quotes in HTML Attributes:
- <div title="He said "Hello"">...</div>
- Prevents breaking the HTML attribute
- Essential for data attributes with quotes
5. Non-breaking Spaces:
- prevents line breaks
- Useful for formatting
- Keep words together
6. Accented Characters (legacy):
- é → é
- ñ → ñ
- Note: Modern UTF-8 encoding is preferred now
7. When NOT to use entities:
- Modern UTF-8 HTML (use actual characters: é, ñ, ©)
- JSON data (use UTF-8)
- Database storage (store actual characters)
- Email plain text
Best practices:
- Always encode user input before displaying in HTML
- Use named entities for readability (© vs ©)
- Use UTF-8 charset and avoid entities for international chars
- Encode <>&"' at minimum for XSS prevention
What's the difference between named, numeric, and hex entities?
HTML entities come in three formats, all producing the same result:
1. Named Entities:
Format: &name;
Example: < > & ©
Advantages:
- Human-readable and memorable
- Self-documenting (© clearly means copyright)
- Easier to type and recognize
- Standard names across all browsers
Disadvantages:
- Limited set (only ~250 named entities)
- Not all characters have names
- Longer than numeric for some chars
Use for: Common characters with well-known names
2. Numeric Entities (Decimal):
Format: &#number;
Example: < > & ©  
Advantages:
- Works for ANY Unicode character (0-1,114,111)
- No memorization needed (just use character code)
- Universal support
- Compact for low-number characters
Disadvantages:
- Not human-readable (what is ™?)
- Harder to debug or edit manually
- Larger for high Unicode values
Use for: Characters without named entities
3. Hexadecimal Entities:
Format: &#xHEX;
Example: < > & ©  
Advantages:
- Works for ANY Unicode character
- Matches Unicode standard (U+00A9)
- Shorter for high Unicode values
- Easier to cross-reference with Unicode tables
Disadvantages:
- Not human-readable
- Requires hex knowledge
- Less common than decimal
Use for: When working with Unicode references
Comparison table:
| Character | Named | Decimal | Hex |
|-----------|----------|---------|----------|
| < | < | < | < |
| > | > | > | > |
| & | & | & | & |
| " | " | " | " |
| © | © | © | © |
| € | € | € | €|
Recommendation:
- Use named entities for common characters (<, &, ©)
- Use numeric/hex for rare characters or when character code is known
- This tool defaults to named entities for best readability
How do HTML entities prevent XSS attacks?
HTML entities are crucial for preventing Cross-Site Scripting (XSS) attacks:
What is XSS?
- Attackers inject malicious JavaScript into your website
- If user input is displayed without encoding, scripts can execute
- Can steal cookies, session tokens, or sensitive data
- Can deface your website or redirect users
How entities prevent XSS:
1. Neutralizing malicious code:
Malicious input: <script>alert('XSS')</script>
Encoded safely: <script>alert('XSS')</script>
Result: Displays as text, doesn't execute
2. Breaking HTML injection:
Attack: <img src=x onerror="alert('XSS')">
Encoded: <img src=x onerror="alert('XSS')">
Result: Shows as text, image tag not created
3. Attribute injection prevention:
Attack: " onclick="alert('XSS')"
In attribute: <div title="user input here">
Without encoding: <div title="" onclick="alert('XSS')"">
With encoding: <div title="" onclick="alert('XSS')"">
Result: Safe - treated as part of title text
Essential characters to encode:
- < → < (prevents tag creation)
- > → > (prevents tag closing)
- & → & (prevents entity injection)
- " → " (prevents attribute breaking)
- ' → ' (prevents attribute breaking)
Best practices:
1. Always encode user input before displaying
2. Encode on output, not on storage
3. Use a trusted encoding library
4. Don't try to filter or sanitize - encode everything
5. Combine with Content Security Policy (CSP)
6. Never trust user input
Example vulnerable code:
Bad: <div><?= $userInput ?></div>
Good: <div><?= htmlspecialchars($userInput) ?></div>
HTML entity encoding is your first line of defense against XSS attacks!
Is my data safe when using this tool?
Yes, your data is completely safe and private:
Privacy features:
- 100% client-side processing: All encoding/decoding happens in your browser
- No server uploads: Your data never leaves your computer
- No storage: We don't store, log, or save any data you input
- No tracking: We don't track what you encode or decode
- Works offline: Once loaded, works without internet connection
- Open source: Code is transparent and verifiable
You can verify:
- Open browser DevTools → Network tab (no requests sent)
- Disconnect internet after loading (still works)
- Review page source code
Security reminder:
- This tool helps you encode/decode for display purposes
- Always encode user input server-side as well
- Don't rely solely on client-side encoding for security
- Use proper server-side sanitization and validation
- Combine with other security measures (CSP, HTTPS, etc.)
The tool itself is safe, but remember:
- Encoding is for display, not security alone
- Always validate and sanitize on the server
- Use comprehensive security practices
Common HTML entities reference?
Here's a quick reference of commonly used HTML entities:
Essential Characters:
< → < (less than)
> → > (greater than)
& → & (ampersand)
" → " (quotation mark)
' or ' → ' (apostrophe)
Spaces:
→ non-breaking space
  → en space
  → em space
  → thin space
Copyright & Legal:
© → © (copyright)
® → ® (registered)
™ → ™ (trademark)
Currency:
€ → € (euro)
£ → £ (pound)
¥ → ¥ (yen)
¢ → ¢ (cent)
Mathematical:
× → × (multiplication)
÷ → ÷ (division)
± → ± (plus-minus)
≠ → ≠ (not equal)
≤ → ≤ (less than or equal)
≥ → ≥ (greater than or equal)
∞ → ∞ (infinity)
∑ → ∑ (sum)
√ → √ (square root)
Arrows:
← → ← (left arrow)
→ → → (right arrow)
↑ → ↑ (up arrow)
↓ → ↓ (down arrow)
Punctuation:
– → – (en dash)
— → — (em dash)
‘ → ' (left single quote)
’ → ' (right single quote)
“ → " (left double quote)
” → " (right double quote)
… → … (ellipsis)
Accented Letters:
é → é
ñ → ñ
ü → ü
á → á
ô → ô
Greek Letters:
α → α
β → β
γ → γ
δ → δ
π → π
ω → ω
Note: With modern UTF-8 encoding, you can often use the actual character (©, €, ñ) instead of entities, but entities are still essential for <, >, &, ", and ' to prevent HTML parsing issues.
Key Features
- Encode text to HTML entities (named, numeric, or hexadecimal)
- Decode HTML entities back to original characters
- Support for named entities (&, <, ©, etc.)
- Support for numeric entities (&, <, ©)
- Support for hexadecimal entities (&, <, ©)
- Option to encode only essential characters or all special characters
- Automatic entity counting and statistics
- Prevents XSS attacks by encoding dangerous characters
- One-click swap between encode and decode modes
- Real-time size comparison statistics
- Copy encoded/decoded text to clipboard
- Download results as text files
- Upload text files for encoding/decoding
- Dark mode support
- 100% client-side processing - your data never leaves your browser
- No file size limits
- Works offline after initial load
- Mobile-friendly responsive design
- Support for Unicode and international characters
- No registration or login required