HTML Entities Encoder / Decoder
Escape text for safe HTML display, or decode &-riddled text back to readable characters.
Result
About this tool
Five characters have special meaning in HTML — <, >, &, and both quote marks — and displaying them literally requires escaping them as entities: &lt;, &gt;, &amp;, &quot; and &#39;. Forget to escape and one of two things happens: the browser silently swallows your text as a malformed tag, or, if the text came from a user, you've opened the door to script injection. Escaping user-supplied text before display is one of the oldest security rules on the web.
The encoder handles those five critical characters, with an optional switch to also convert every non-ASCII character (é, ₹, emoji) to numeric entities — useful when your output must survive systems that mangle anything beyond plain ASCII. The decoder goes the other way and uses the browser's own HTML parser under the hood, which means it correctly decodes every entity that exists — named (&eacute;), decimal (&#233;) and hexadecimal (&#xE9;) — not just a hardcoded list.
Everyday uses: displaying code snippets on a web page, cleaning up scraped or exported text full of &amp; and &#39;, preparing text for XML or RSS feeds, and inspecting what some mangled email or CMS output actually says. Conversion runs live in both directions, entirely in your browser.
How to use the HTML Entities Encoder / Decoder
- 1Choose Encode (plain text → entities) or Decode (entities → plain text).
- 2Paste your text — the result converts live.
- 3For encode, optionally switch on non-ASCII conversion for maximum compatibility.
- 4Copy the result.
Frequently asked questions
Which characters must be escaped in HTML?
The critical five: < and > (tag delimiters), & (entity starter), and " and ' (attribute delimiters). Escaping user-supplied text before display is also a fundamental defense against cross-site scripting (XSS).
What's the difference between &lt;, &#60; and &#x3C;?
Three notations for the same character (<): a named entity, a decimal numeric entity, and a hexadecimal numeric entity. Browsers treat them identically. This decoder handles all three forms.
Why does exported text show &amp; and &#39; everywhere?
It was HTML-encoded once (or twice) somewhere in the pipeline — common with CMS exports, scraped pages and email systems. Paste it into Decode mode to recover the readable text; run decode twice if it was double-encoded.
When should I encode non-ASCII characters too?
When the destination might not handle UTF-8 reliably — very old systems, some email templates, or feeds with unknown consumers. Modern UTF-8 pages don't need it; é works literally. The option exists for the pipelines that do.
Related tools
URL Encoder / Decoder
Percent-encode text for URLs or decode %20-riddled strings back into readable text — live.
Open toolBase64 Encode / Decode
Convert text to Base64 and back — UTF-8 safe, so emoji and non-English characters survive.
Open toolMarkdown Preview
Write Markdown on the left, see rendered output on the right — live, side by side.
Open toolFind & Replace
Find every occurrence of a word or phrase and replace them all at once — with a live match count.
Open tool