Embedding user-generated content — encode form submissions, comments, or API responses before inserting them into HTML to prevent XSS injection attacks. Decoding copy-pasted HTML — when you've pulled markup from a browser inspector or web scraper and it arrives as double-encoded entities ( & , ' , “ ), decode it back to readable text. Fixing accidentally double-escaped templates — un-mangle template systems that have escaped values twice, or data that's been through multiple processing layers. Preparing code examples for documentation — convert angle brackets and quotes to entities for JSDoc comments, XML/CDATA sections, or markdown code blocks where literal would break rendering. Debugging encoded API responses — decode JSON or XML responses that arrive with escaped entities to see the actual content. Creating test fixtures — quickly generate encoded strings for unit tests without hand-escaping each character.

Encoding — replaces the five reserved characters with their named entity equivalents: & becomes & , becomes > , " becomes " , and ' becomes ' . Decoding — accepts any valid HTML entity format (named like “ , decimal numeric like " , or hexadecimal like " ) and converts it back to its character via the browser's HTML parser. Bidirectional — toggle between encode and decode modes; the tool handles both directions without requiring different tools. Entity awareness — the decoder recognises hundreds of named entities beyond the five core characters, making it useful for any encoded HTML content you encounter.

Encoding ≠ sanitisation — escaping entities makes text safe to display as content, but does not remove or strip HTML tags. If you need to allow only text and remove all markup, use an HTML sanitiser instead. Attributes are not safe by encoding alone — whilst encoding the five reserved characters makes content safe in element bodies, placing untrusted data in attributes (especially event handlers like onclick ) requires additional escaping. Keep user input out of HTML attributes entirely when possible. Double-encoding trap — encoding an already-encoded string like < produces < , which decodes to < instead of < . Decode once first if your input already contains entities. Decoder is permissive — the decoder accepts any valid HTML entity that a real browser would, including malformed sequences. If you're validating input, don't rely solely on successful decoding. Named entities are case-sensitive — &Amp; is not the same as & . Most browsers are forgiving, but the HTML spec requires lowercase for the core five entities.

HTML Encoder / Decoder

Escape HTML special characters or decode entities back. Useful for safely embedding user input or debugging encoded markup.

Mode Input

Output

Enter input above to see the result.

What is this for?

HTML reserves five characters with structural meaning — &, <, >, ", ' — which must be escaped as entities when they appear as content rather than markup. This tool encodes raw text into safe HTML entities and decodes entity references back to plain characters, making it essential for safely embedding untrusted input, debugging mangled markup, and preparing code snippets for documentation.

When to use it

Embedding user-generated content — encode form submissions, comments, or API responses before inserting them into HTML to prevent XSS injection attacks.
Decoding copy-pasted HTML — when you've pulled markup from a browser inspector or web scraper and it arrives as double-encoded entities (&, ', “), decode it back to readable text.
Fixing accidentally double-escaped templates — un-mangle template systems that have escaped values twice, or data that's been through multiple processing layers.
Preparing code examples for documentation — convert angle brackets and quotes to entities for JSDoc comments, XML/CDATA sections, or markdown code blocks where literal < and > would break rendering.
Debugging encoded API responses — decode JSON or XML responses that arrive with escaped entities to see the actual content.
Creating test fixtures — quickly generate encoded strings for unit tests without hand-escaping each character.

How it works

Encoding — replaces the five reserved characters with their named entity equivalents: & becomes &, < becomes <, > becomes >, " becomes ", and ' becomes '.
Decoding — accepts any valid HTML entity format (named like “, decimal numeric like ", or hexadecimal like ") and converts it back to its character via the browser's HTML parser.
Bidirectional — toggle between encode and decode modes; the tool handles both directions without requiring different tools.
Entity awareness — the decoder recognises hundreds of named entities beyond the five core characters, making it useful for any encoded HTML content you encounter.

Common gotchas

Encoding ≠ sanitisation — escaping entities makes text safe to display as content, but does not remove or strip HTML tags. If you need to allow only text and remove all markup, use an HTML sanitiser instead.
Attributes are not safe by encoding alone — whilst encoding the five reserved characters makes content safe in element bodies, placing untrusted data in attributes (especially event handlers like onclick) requires additional escaping. Keep user input out of HTML attributes entirely when possible.
Double-encoding trap — encoding an already-encoded string like < produces &lt;, which decodes to < instead of <. Decode once first if your input already contains entities.
Decoder is permissive — the decoder accepts any valid HTML entity that a real browser would, including malformed sequences. If you're validating input, don't rely solely on successful decoding.
Named entities are case-sensitive — &Amp; is not the same as &. Most browsers are forgiving, but the HTML spec requires lowercase for the core five entities.

Named entities and special characters

This tool handles the five mandatory HTML entities for all contexts, plus hundreds of named character references like  , ©, →, and “.
Numeric entities work in both decimal (A for A) and hexadecimal (A) forms.
For a complete reference, consult the WHATWG HTML entity list — this tool uses the browser's native entity parser, so it supports whatever your target browser supports.