Skip to content
Developer · Encoding

HTML Entity Encoder / Decoder

Convert special characters to HTML entities and back — named, decimal, or hexadecimal. Live rendered preview. Nothing uploaded, nothing logged.

In-browser only HTML5 entity spec Sandboxed preview
Format
Selective
Input
Encoded output
Preview
sandbox=""
Try
All processing happens in your browser. Your data never leaves your device.

Guide

How to encode or decode HTML entities

  1. 1
    Choose your mode

    Toggle between Encode (characters to entities) and Decode (entities back to characters). Encode is the default.

  2. 2
    Paste or type your text

    Enter content in the left pane. Conversion is automatic — no button needed.

  3. 3
    Select an entity format

    In Encode mode, choose Named, Decimal, Hexadecimal, or All Characters to control the output form.

  4. 4
    Check the preview

    The preview renders the decoded output in a sandboxed iframe — scripts never execute.

  5. 5
    Copy the output

    Click Copy or press Ctrl+Shift+C. A confirmation toast shows for 1.5 seconds.

  6. 6
    Go fullscreen

    Click Fullscreen or press F for a three-column workspace with more room.

Reference

HTML entity format comparison

HTML entity format comparison
CharacterNamedDecimalHexUse when
< (less-than)&lt;&#60;&#x3C;Always in HTML content
> (greater-than)&gt;&#62;&#x3E;Always in HTML content
& (ampersand)&amp;&#38;&#x26;Always — prevents parser ambiguity
" (double quote)&quot;&#34;&#x22;Inside double-quoted attributes
’ (apostrophe)&apos;&#39;&#x27;Inside single-quoted attributes
© (copyright)&copy;&#169;&#xA9;Named for readability
— (em dash)&mdash;&#8212;&#x2014;Named for readability

Pitfalls

Common HTML encoding mistakes

  • Double-encoding escaped content

    Running &amp;amp; through the encoder again produces &amp;amp;amp;. Decode first, then re-encode.

  • Encoding inside script or style

    Entity encoding applies to text nodes and attributes — not content inside <script> or <style> tags.

  • Using &amp;apos; in HTML4

    &amp;apos; is valid in XML and HTML5 but undefined in HTML4. Use &#39; for older parsers.

  • Omitting the trailing semicolon

    Named entities need a semicolon (&amp;amp; not &amp;amp). Without it, browser behaviour varies.

HTML entity encoding — questions

What is an HTML entity?
An HTML entity is a text sequence representing a character that would otherwise be interpreted as markup. They begin with & and end with ;. There are three forms: named (&amp;), decimal numeric (&#38;), and hexadecimal numeric (&#x26;).
Which characters must always be encoded?
At minimum, <, >, and & in text content. Inside attribute values, " and ’ must also be encoded. These five characters prevent most XSS vulnerabilities.
Named, decimal, or hexadecimal — which should I use?
Named entities are the most readable. Decimal numeric entities are universally supported. Hexadecimal is common in XML and XHTML. For general HTML5, named entities are preferred where they exist; numeric is safer for characters without a named equivalent.
Does encoding prevent XSS attacks?
Encoding user-supplied input before inserting it into HTML is the primary defence against reflected and stored XSS. It is not sufficient alone — Content Security Policy and context-aware escaping are also needed for comprehensive protection.
Is my input sent to a server?
No. All encoding and decoding runs in your browser via JavaScript. Nothing leaves your device, so it is safe to convert content containing tokens, session IDs, or internal hostnames.
What is the input size limit?
The tool enforces a 1 MB input limit. Content up to that size processes within 500 ms on modern hardware. Inputs exceeding 1 MB trigger an inline error and the output is not updated.
What happens with malformed entities like &amp;xyz;?
Unrecognized entities mostly pass through unchanged. However, the underlying library uses longest-prefix matching — for example, &notarealentity; decodes to ¬arealentity; because &not; is a valid named entity matched at that prefix. The tool documents this behaviour rather than wrapping around it.