HTML Entity Encoder & Decoder

Escape special characters to HTML entities, or unescape them back — perfect for safely embedding user content in HTML.

Encode (Escape) Decode (Unescape) Use named entities (& vs &)

Input

Output

Your result will appear here…

AD 468×60

How to Use

Encode converts characters like < > & " ' into safe HTML entities. Decode reverses this. Toggle Named entities to use human-readable names (&) versus numeric codes (&).

What are HTML Entities?

HTML entities are special codes used to represent characters that have reserved meaning in HTML. For example, the less-than sign < would be interpreted as the start of a tag; to display it literally, you write <. Entities start with & and end with ;.

Why Encode HTML Entities?

Prevent XSS (Cross-Site Scripting) attacks by escaping user input before inserting into HTML
Display special characters in web pages without breaking HTML structure
Safely embed code samples in HTML documentation
Ensure correct rendering across all browsers and encodings

Essential HTML Entities Reference

Frequently Asked Questions

Does HTML entity encoding prevent XSS attacks?

It prevents most XSS attacks when applied to user input placed in HTML context. However, it must be combined with context-aware escaping — different rules apply for JavaScript contexts, URL attributes, and CSS. Always use a proper sanitization library for security-critical applications.

What's the difference between named and numeric entities?

Named entities (&, <) are defined by the HTML specification and are more readable. Numeric entities (&, <) can represent any Unicode character by its code point — useful for characters without named equivalents. Both are interpreted identically by browsers.

Should I encode all characters or only unsafe ones?

For security, encode the five critical characters: < > & " '. For maximum safety or when unsure about character support, you can encode all non-ASCII characters as numeric entities.