Free · in your browser · no signup
HTML Entity Encoder & Decoder
Encode special characters to HTML entities (or decode them back) so your markup renders safely — instantly, in your browser.
We use cookies and similar technologies to enhance your browsing experience, analyze site traffic, and personalize content and ads. By clicking "Accept", you consent to our use of cookies. Learn more in our Privacy Policy.
Encode special characters to HTML entities (or decode them back) so your markup renders safely — instantly, in your browser.
This is a free, in-browser tool for converting text to HTML entities and back. Encoding replaces characters that have special meaning in HTML, such as <, >, &, and quotation marks, with their entity equivalents like <, >, &, and ". Decoding reverses the process, turning entities back into the literal characters they represent. You can paste a snippet, switch direction, and copy the result.
The practical reason to do this is to keep markup valid and safe. When user-supplied or dynamic text is dropped into a page without encoding, an unescaped < can start a tag the browser wasn't meant to render, and an unescaped & can break an entity reference. Encoding turns that text into something the browser displays verbatim instead of interpreting. Everything runs locally in your browser, so the text you paste is never uploaded to a server.
The tool runs entirely in your browser. Paste text into the input, pick Encode or Decode, and the output updates so you can copy it.
Encoding scans your text and replaces characters that are syntactically significant in HTML with named or numeric entities. The core five are:
& → & (must be encoded first, since every other entity begins with &)< → <> → >" → "' → ' (or ')Decoding parses entity references and resolves them back to characters. It understands named entities (©), decimal numeric references (©), and hexadecimal references (©), all of which yield the same © character.
Because the conversion is rule-based and local, there's no rate limit, no account, and nothing leaves your machine. That matters when the snippet you're cleaning up contains internal code, tokens, or unreleased copy.
Say you want to show readers a literal <a> tag inside an article, including its attributes. If you paste the raw markup into your HTML, the browser will render a clickable link instead of printing the code.
Start with this source text:
<a href="/docs">Read the docs & more</a>
Run Encode and you get:
<a href="/docs">Read the docs & more</a>
Drop that encoded string into your page and the browser displays the tag as text, character for character, including the & in "docs & more". Running Decode on the encoded version returns the original source exactly. This round-trip is the quickest way to confirm a string is safe to embed: encode it, paste it, and verify the page shows the code rather than acting on it.
A few situations where entity conversion is the right move:
&amp;, '). Decode it once to recover the real characters.In each case the goal is the same: control whether a character is treated as data or as markup.
Encode the ampersand first. If you replace < and > before &, you can corrupt the entities you just created. Correct tooling always handles & before anything else, which is what this tool does.
Double-encoding is a real bug. Encoding an already-encoded string turns & into &amp;, which shows up on the page as the literal text &. If you see entity-looking text rendered to users, you've likely encoded twice. Decode once and check.
Quotes only matter in certain places. Inside an attribute value, an unescaped " ends the attribute early. In plain text content, quotes are harmless. Encoding them everywhere is safe and simple, so the tool does.
Numeric and named entities are interchangeable. ©, ©, and © all decode to ©. If a target system doesn't support named entities, numeric references are the safer choice.
HTML offers three ways to reference a character that you'd rather not type literally.
Named entities use a human-readable label between & and ;, like &, <, , or €. They're readable but limited to the set defined by the HTML specification.
Decimal numeric references use the character's Unicode code point in base 10: € is the euro sign. Hexadecimal references use the same code point in base 16, prefixed with x: € is also the euro sign. Numeric references can express any Unicode character, including ones that have no named entity.
For the five characters that affect parsing (&, <, >, ", '), encoding is about correctness and safety. For everything else, such as accented letters, currency symbols, or emoji, entities are mostly a convenience: modern pages saved as UTF-8 can usually include those characters directly. When in doubt, the numeric form works everywhere.
`<` is the entity that displays as a literal `<` on the page, while a raw `<` is read by the browser as the start of a tag. Encode it when you want the character shown as text instead of interpreted as markup.
The five that affect parsing: `&`, `<`, `>`, and the quote characters `"` and `'`. Other characters like accented letters or symbols can usually be left as-is in a UTF-8 document, though entities still work.
Encoding text before inserting it into HTML is a key defense, because it stops attacker-supplied characters from being parsed as tags or attributes. It is not a complete solution on its own; data placed into JavaScript, URLs, or CSS contexts needs encoding appropriate to that context.
The source was encoded more than once. Each decode pass removes one layer, so run the decode again until the literal characters appear.
Yes. They're the named, decimal, and hexadecimal references for the same character, the copyright sign ©. All three decode identically; numeric forms work in places that don't recognize named entities.
Yes. An unescaped double quote inside a double-quoted attribute ends the value early and can break the tag. Encoding it as `"` (or `"`) keeps the attribute intact.
`'` is valid in HTML5 and XML/XHTML, but older HTML4 contexts don't recognize it. The numeric reference `'` works everywhere, so it's the safer choice when targeting unknown environments.
No. Encoding and decoding happen in your browser, so the text you paste stays on your device and isn't sent to any server.