CompleteToolkit

HTML Entities Encoder / Decoder

Escape text for safe HTML display, or decode &-riddled text back to readable characters.

Result

About this tool

Five characters have special meaning in HTML — <, >, &, and both quote marks — and displaying them literally requires escaping them as entities: &amp;lt;, &amp;gt;, &amp;amp;, &amp;quot; and &amp;#39;. Forget to escape and one of two things happens: the browser silently swallows your text as a malformed tag, or, if the text came from a user, you've opened the door to script injection. Escaping user-supplied text before display is one of the oldest security rules on the web.

The encoder handles those five critical characters, with an optional switch to also convert every non-ASCII character (é, ₹, emoji) to numeric entities — useful when your output must survive systems that mangle anything beyond plain ASCII. The decoder goes the other way and uses the browser's own HTML parser under the hood, which means it correctly decodes every entity that exists — named (&amp;eacute;), decimal (&amp;#233;) and hexadecimal (&amp;#xE9;) — not just a hardcoded list.

Everyday uses: displaying code snippets on a web page, cleaning up scraped or exported text full of &amp;amp; and &amp;#39;, preparing text for XML or RSS feeds, and inspecting what some mangled email or CMS output actually says. Conversion runs live in both directions, entirely in your browser.

How to use the HTML Entities Encoder / Decoder

  1. 1Choose Encode (plain text → entities) or Decode (entities → plain text).
  2. 2Paste your text — the result converts live.
  3. 3For encode, optionally switch on non-ASCII conversion for maximum compatibility.
  4. 4Copy the result.

Frequently asked questions

Which characters must be escaped in HTML?

The critical five: < and > (tag delimiters), & (entity starter), and " and ' (attribute delimiters). Escaping user-supplied text before display is also a fundamental defense against cross-site scripting (XSS).

What's the difference between &amp;lt;, &amp;#60; and &amp;#x3C;?

Three notations for the same character (<): a named entity, a decimal numeric entity, and a hexadecimal numeric entity. Browsers treat them identically. This decoder handles all three forms.

Why does exported text show &amp;amp; and &amp;#39; everywhere?

It was HTML-encoded once (or twice) somewhere in the pipeline — common with CMS exports, scraped pages and email systems. Paste it into Decode mode to recover the readable text; run decode twice if it was double-encoded.

When should I encode non-ASCII characters too?

When the destination might not handle UTF-8 reliably — very old systems, some email templates, or feeds with unknown consumers. Modern UTF-8 pages don't need it; é works literally. The option exists for the pipelines that do.