HTML Encoder & Decoder
Encode special characters to HTML entities and decode HTML entities back to readable text. Essential for XSS prevention and content display.
| Character | Entity Name | Numeric Entity | Description |
|---|---|---|---|
& | & | & | Ampersand |
< | < | < | Less than |
> | > | > | Greater than |
" | " | " | Double quote |
' | ' | ' | Single quote |
/ | / | / | Forward slash |
| |   | Non-breaking space |
© | © | © | Copyright |
® | ® | ® | Registered trademark |
™ | ™ | ™ | Trademark |
Five Characters That Break Every HTML Page They Touch
The HTML parser has no way to distinguish between markup you wrote and data that contains markup-like characters. Feed it <script>alert('xss')</script> as a user's display name and the browser executes it as JavaScript. Forget to encode a single < in a comment and you shatter the page layout. Five characters sit at the root of the most common class of web security vulnerability: less-than, greater-than, ampersand, double quote, and single quote.
HTML entities replace these dangerous characters with safe sequences the browser renders as literal text. < becomes < — the browser displays a less-than sign but never treats it as the start of a tag. This tool converts in both directions: encode to entities for safe embedding, decode to read entity-encoded content as text.
What HTML Entities Are — Named, Decimal, and Hex
HTML entities come in three syntactic forms but all represent the same character. Named entities are the most readable: < for less-than, & for ampersand, © for ©. Decimal numeric entities use the character's decimal Unicode code point: < is the same as <. Hex numeric entities use hexadecimal: < is the same character again. This tool decodes all three forms back to literal characters.
Context Matters: Where HTML Encoding Is and Isn't Enough
HTML encoding protects against injection in HTML body text contexts — content between tags, inside non-executing attributes like class, id, or title. It does not provide sufficient protection in other contexts:
- Inside inline event handlers: Content inside
onclick,onmouseoveretc. is parsed as JavaScript. Use JavaScript string escaping in addition to HTML encoding. - In href attributes: A
hrefvalue likejavascript:alert(1)executes JavaScript even if HTML-encoded. Validate that URLs usehttp:orhttps:schemes explicitly. - Inside <script> blocks: Content inside script tags is parsed as JavaScript, not HTML. HTML encoding has no effect there.
- In CSS: CSS injection is a separate attack vector requiring CSS-specific escaping.
For content embedded in HTML body text and standard attributes (which is the most common case), HTML encoding the five critical characters eliminates the attack surface. After encoding, inspect the result with the HTML Beautifier to verify the structure is intact.
Decoding API Responses and Database Content
HTML-encoded content appears in unexpected places. CMS database fields, XML data returned by SOAP APIs, RSS/Atom feed content, and certain JSON APIs all return HTML-encoded strings. Reading &ldquo;Hello&rdquo; in a log entry or API response is unpleasant. Switch this tool to Decode mode to instantly read the actual content. After decoding, if the result is JSON, pipe it into the JSON Formatter.
Working With Special Typography Characters
HTML entities cover far more than the five security-critical characters. The full entity list includes typographic characters like curly quotes (“ ”), em dashes (—), non-breaking spaces ( ), and hundreds of mathematical and symbol characters. This tool encodes any text containing special characters into safe entity form and decodes entity-heavy content back to readable text.
✓Verified by ToollyX Team · Last updated June 2026
Frequently Asked Questions
Disclaimer: All encoding and decoding runs in your browser. No input text is transmitted anywhere.