HTML Entities

Convert HTML special characters to entities and vice versa

What is HTML Entities Encoder & Decoder?

HTML entities are special codes that represent characters that cannot be safely used in HTML markup. For example, < becomes &lt; to prevent it from being interpreted as an HTML tag, & becomes &amp; to avoid confusing the HTML parser, and " becomes &quot; to safely include quotes inside attribute values. This tool converts special characters to their entity equivalents (encoding) and converts entities back to original characters (decoding). It supports both named entities (&copy;, &euro;, &mdash;) and numeric entities (&#169;, &#8364;, &#8212;). HTML entity encoding is essential for preventing XSS (Cross-Site Scripting) attacks and for displaying special symbols like copyright signs, currency symbols, and mathematical operators in web pages.

How to Use

  1. Paste text containing special characters into the input field.
  2. Click 'Encode' to convert characters like <, >, &, ", and special symbols to their HTML entity equivalents.
  3. Click 'Decode' to convert HTML entities back to their original characters.
  4. Copy the result for use in your HTML, template, or application code.
  5. Use 'Load Sample' to see example encoding with common HTML content.

Why Use This Tool?

Prevent XSS attacks by encoding user input before displaying in HTML — the primary security use case
Display special symbols correctly in HTML — copyright, currency, mathematical operators, and accented characters
Encode content for safe HTML embedding in templates, email, and documentation
Decode existing HTML entities for processing or text extraction from web content
Support for both named entities (&copy;) and numeric entities (&#169;) — decode both formats

Tips & Best Practices

  • Always encode <, >, &, ", and ' in user-provided content before rendering in HTML — these are the XSS-critical characters.
  • Named entities like &copy; are more readable than numeric &#169; — prefer named entities in hand-written HTML.
  • For modern websites using UTF-8 encoding, most special characters can be included directly without entities — reserve entities for the five XSS-critical characters.
  • Decode entities when processing HTML content programmatically — most HTML parsers do this automatically, but manual decoding may be needed for plain text extraction.

Frequently Asked Questions

Why do I need to encode HTML entities?

Characters like <, >, and & have special meaning in HTML. If you display them directly in user-generated content, they might be interpreted as HTML tags or break the document structure. Encoding them as entities ensures they display as literal characters and prevents XSS attacks.

When should I NOT use HTML entity encoding?

Do not use HTML entity encoding when: you are outputting text to a non-HTML context (JavaScript, CSS, URLs — use context-specific encoding instead); you are already using a templating engine that auto-escapes output (like React's JSX or Vue templates); or you are working with UTF-8 content where special characters can be included directly.

What's the difference between named and numeric entities?

Named entities like &copy; use descriptive names, while numeric entities like &#169; use the character's Unicode code point. Named entities are more readable but only exist for common characters. Numeric entities work for all Unicode characters — any character can be represented as &#NNNN; where NNNN is its code point.

Should I encode all special characters?

For security, encode <, >, &, " and ' in all user-provided content. For symbols like ©, €, and accented characters, you can use entities or UTF-8 encoding directly. Modern websites using UTF-8 typically only need the five security-critical entities.

How do I prevent XSS with entity encoding?

Encode <, >, and & in all user input before displaying in HTML. This prevents attackers from injecting <script> tags or event handlers like onerror. For JavaScript contexts, use Unicode escaping instead of HTML entities. For URL contexts, use URL encoding. Always use the encoding appropriate for the output context.

Is my data processed securely?

Yes. All encoding and decoding happens entirely in your browser using JavaScript. Your text and HTML content are never sent to any server, stored, or transmitted. You can safely encode content containing sensitive information.

Real-world Examples

Encoding user input to prevent XSS

User-submitted content containing HTML-like characters must be encoded before rendering to prevent script injection.

Input
<script>alert("XSS attack!")</script>
Output
&lt;script&gt;alert(&quot;XSS attack!&quot;)&lt;/script&gt;

Displaying special symbols in HTML

Currency symbols, copyright marks, and mathematical operators can be encoded as named entities for broad browser compatibility.

Input
Price: €29.99 © 2025 Acme Corp. 2 × 3 = 6
Output
Price: &euro;29.99 &copy; 2025 Acme Corp. 2 &times; 3 = 6

Related Tools