Convert special characters to HTML entities (encode) and decode all entities
& → &
< → <
> → >
" → "
' → '
Founder & CEO, Toolraxy
Faiq Ur Rahman is a web designer, digital product developer, and founder of Toolraxy, a growing platform of web-based calculators and utility tools. He specializes in building structured, user-friendly tools focused on health, finance, productivity, and everyday problem-solving.
User Ratings:
ADVERTISEMENT
ADVERTISEMENT
HTML Encoder/Decoder is a browser-based utility that converts special HTML characters (<, >, &, ", ') into their corresponding HTML entities (<, >, &, ", ') and reverses the process to restore the original characters.
This tool serves two critical purposes: encoding makes text safe to display in HTML without breaking the page structure, and decoding converts encoded entities back to human-readable form. All processing happens locally in your browser, ensuring your data never leaves your device.
HTML entities are fundamental to web development and security:
XSS Prevention – User input containing <script> tags can hijack your site. Encoding neutralizes this threat.
Code Display – Showing HTML code in blog posts or tutorials requires encoding to prevent browser interpretation.
Email Safety – HTML emails need proper encoding to display special characters correctly.
Data Integrity – Storing user input without encoding can break your database and application.
Content Migration – Moving content between systems often requires decoding/encoding entities.
Without proper encoding, special characters can break your HTML, create security vulnerabilities, and frustrate users with unexpected behavior.
Type or paste your text into the Input field. This can be:
Plain text with special characters (e.g., 5 < 10)
HTML code you want to display safely
Already encoded entities you want to decode
User input you’re preparing for safe output
To Encode (Convert to Entities):
Click the red Encode button. Special characters become entities:
< becomes <
> becomes >
& becomes &
" becomes "
' becomes '
To Decode (Convert from Entities):
Click the Decode button. All HTML entities (named and numeric) are converted back to readable characters.
Swap – Exchanges input and output (useful for reverse conversions)
Copy Output – Copies the result to clipboard
Clear – Resets both fields for a new task
Encoding Process:
The tool sequentially replaces each special character with its corresponding HTML entity. The order is critical—& is replaced first to prevent double-encoding of other entities.
| Character | Entity | Purpose |
|---|---|---|
& | & | Ampersand (must be first) |
< | < | Less than |
> | > | Greater than |
" | " | Double quote |
' | ' | Apostrophe/Single quote |
Decoding Process:
The tool creates a temporary DOM element (textarea) and sets its innerHTML to the encoded string. The browser’s native HTML parser automatically converts all entities (named and numeric) to their character equivalents. This method handles every valid HTML entity without needing a manual mapping table.
Input (Plain Text with Special Characters):
"Hello" & 'Goodbye' are < 5 characters > 2 characters
Encoded Output:
"Hello" & 'Goodbye' are < 5 characters > 2 characters
Decoded Back (from encoded):
"Hello" & 'Goodbye' are < 5 characters > 2 characters
Real XSS Prevention Example:
User input: <script>alert('hack')</script>
Encoded: <script>alert('hack')</script>
Result: The script tag displays as text, not executedXSS Protection – Prevent cross-site scripting attacks by encoding user input before display
Safe Code Display – Show HTML, JavaScript, or XML code in tutorials without execution
Email Compatibility – Ensure special characters render correctly in HTML emails
Data Portability – Easily move content between systems with different encoding requirements
Browser-Native Decoding – Uses the browser’s built-in entity parser for 100% accuracy
Privacy First – All processing happens locally; your data never leaves your browser
Free Forever – No accounts, no limits, no subscriptions
Instant Results – Real-time encoding/decoding as you click
Web Developers – Prevent XSS by encoding user-generated content
Security Professionals – Test input validation and output encoding
Content Creators – Publish HTML code snippets in blog posts
Email Marketers – Prepare HTML email content with special characters
CMS Users – Enter content in WordPress, Joomla, or Drupal safely
Forum Members – Post code examples without breaking page layout
Students – Learn about HTML entities and character encoding
Data Analysts – Clean and prepare text data containing HTML
1. Double-Encoding
Never encode already encoded content. Use Swap to check if text is already encoded.
2. Forgetting Ampersand Order
Ampersand must be encoded first to prevent < from becoming &lt;.
3. Using Wrong Quotes
Single quotes (') use numeric entity ' for maximum compatibility.
4. Assuming All Entities Decode
This tool decodes all valid HTML entities—but malformed entities may not convert.
5. Relying Only on Encoding
Encoding is one layer of security. Always combine with other XSS prevention measures.
6. Not Testing Decoded Output
After decoding, verify the result matches your original text, especially with special characters.
7. Manual Replacement Errors
Let the tool handle encoding—manual replacement often misses cases.
Unicode Characters: This tool encodes only HTML-sensitive characters (< > & " '). Full Unicode encoding requires different tools.
Malformed Entities: Invalid entities (e.g., < without semicolon) may not decode correctly.
No Batch Processing: Designed for single text blocks; for large-scale batch encoding, use programming libraries.
Browser-Dependent Decoding: Decoding uses browser’s HTML parser; results are consistent across modern browsers.
No Custom Entity Mapping: Only handles standard HTML entities, not custom XML entities.
HTML entities are special sequences that represent characters otherwise interpreted as HTML code. They always begin with & and end with ;. For example, < represents <, and © represents ©.
Entities solve two problems: they allow display of reserved characters (<, >, &) without breaking HTML structure, and they enable characters not available on keyboards (like ©, ®, €). Every web developer encounters entities when working with user input, content management, or internationalization.
Cross-Site Scripting (XSS) is one of the most common web vulnerabilities. Attackers inject malicious scripts through user input fields, comments, or URLs. When unsanitized input is displayed, those scripts execute in victims’ browsers.
Output encoding (like this tool’s HTML encoding) is the primary defense. By converting <script> to <script>, the browser displays the text as-is instead of executing it. Always encode user-generated content before displaying it—even if you think the source is trusted.
HTML supports two types of entities:
Named entities: < for <, © for ©, € for €
Numeric entities: < for <, © for ©, € for €
Named entities are easier to remember but have limited coverage. Numeric entities (using Unicode code points) can represent any character. This tool’s decoding handles both types automatically.
| Entity | Character | Description |
|---|---|---|
< | < | Less than |
> | > | Greater than |
& | & | Ampersand |
" | “ | Double quote |
' | ‘ | Apostrophe |
© | © | Copyright |
® | ® | Registered trademark |
€ | € | Euro currency |
| (space) | Non-breaking space |
HTML encoding isn’t one-size-fits-all. Different contexts require different encoding rules:
HTML body: Encode <, >, &, ", '
HTML attributes: Encode & and the attribute delimiter (" or ')
JavaScript strings: Use JavaScript escaping (\n, \', etc.)
URLs: Use URL encoding (%20 for spaces)
This tool handles HTML body and attribute contexts. For JavaScript or URL encoding, use specialized tools.
These terms are often confused:
Encoding: Converting characters to alternative representations (like < to <) that preserve meaning but prevent interpretation
Escaping: Adding prefixes (like backslashes) to remove special meaning
Sanitization: Removing or modifying dangerous content entirely
Encoding is preferred for XSS prevention because it preserves the original data while making it safe. Sanitization can remove needed content. This tool provides proper HTML encoding.
Paste your text into the Input field and click the red “Encode” button. Special characters (<, >, &, “, ‘) will be converted to HTML entities like <, >, &, “, and ‘.
Paste encoded text containing entities like < or & into the Input field and click “Decode.” All named and numeric entities will be converted back to readable characters.
Encoding converts special characters to HTML entities so they display safely in HTML. Decoding reverses the process, converting entities back to original characters.
Encoding prevents browsers from interpreting special characters as HTML code. This stops XSS attacks, allows display of code snippets, and ensures proper rendering of special characters.
Yes, encoding user input before displaying it in HTML is a primary defense against cross-site scripting (XSS) attacks. The encoded output is safe to insert into any HTML context.
The tool encodes five characters: & (ampersand), < (less than), > (greater than), ” (double quote), and ‘ (apostrophe/single quote). These are the only characters with special meaning in HTML.
Yes, the tool uses the browser’s native HTML parser to decode every valid named entity (like ©) and numeric entity (like ©). This includes all standard HTML entities.
Yes, encoding special characters in HTML emails ensures they display correctly across email clients. The encoded output is safe to insert into email HTML.
ADVERTISEMENT
ADVERTISEMENT