What are HTML entities?

HTML entities are sequences that represent characters that have special meaning in HTML or that cannot appear directly in HTML source code. For example, < represents the less-than sign (<), which must be encoded to prevent the browser from treating it as the start of an HTML tag. Entities start with & and end with ; — they can be named (&) or numeric (&).

When should I encode HTML entities?

Encode HTML entities whenever you embed user-generated content, code snippets, or text containing & " ' into an HTML document. Without encoding, those characters can break the page structure or create XSS vulnerabilities. Common scenarios: displaying code in a or block, embedding text in a CMS that renders HTML directly, or preparing content for HTML email templates.

What is the difference between HTML-safe only and All non-ASCII modes?

HTML-safe only encodes five characters that break HTML structure: & " and '. This is sufficient for most use cases and produces readable output. All non-ASCII additionally converts every character with a code point above U+007E (tilde) to a numeric HTML entity (&#charCode;). Use All non-ASCII when you need ASCII-only output — for example, legacy email systems, certain CMS fields, or environments where non-ASCII characters cause encoding issues.

Is this tool safe for sensitive content?

Yes. All encoding and decoding runs entirely in your browser using JavaScript. Your content is never uploaded to any server. You can encode passwords, API responses, or private documents without any data leaving your device.

Does the decoder support named HTML entities like and ©?

Yes. The decoder uses the browser's own HTML parsing engine via the textarea trick (setting a textarea's value and reading it back). This handles all named HTML entities ( , ©, €, —, etc.) and numeric entities ( , ©) correctly, because the browser's parser resolves them exactly as it would when rendering HTML.

Home › Tools › Developer Tools › HTML Entity Encoder / Decoder

HTML Entity Encoder / Decoder

Encode HTML special characters — <, >, &, ", ' — to safe HTML entities, or decode entities back to plain text. Instant client-side conversion. Common use cases: CMS content, email templates, code snippets. 100% in-browser, nothing stored.

All encoding and decoding runs in your browser. Your content is never uploaded or stored.

Encode scope:

HTML-safe only (< > & " ') All non-ASCII (numeric entities for every char above U+007E)

Input 0 chars

Input too large — reduce to under 100 KB to convert.

Output 0 chars

About HTML Entity Encoder / Decoder

HTML Entity Encoder / Decoder converts between plain text and HTML entity notation instantly in your browser. Paste text in the INPUT panel and the encoded output appears in the OUTPUT panel with zero delay — no button click, no server round-trip, no data sent anywhere.

Encode mode

Two scopes are available. HTML-safe only encodes the five characters that break HTML structure: & < > " and '. The ampersand is encoded first to prevent double-encoding. This scope is the right choice for the vast majority of use cases — CMS content, code snippets, email template bodies, and API response values that will be rendered inside HTML.

All non-ASCII encodes the same five HTML-structural characters first, then additionally converts every character with a Unicode code point above U+007E (tilde) to a numeric HTML entity (&#charCode;). Use this scope when the target environment requires strict ASCII output — legacy email systems, certain CMS fields, or HTTP headers where non-ASCII bytes can cause encoding issues.

Decode mode

The decoder uses the browser's own HTML parser via the textarea trick: the encoded string is assigned to a textarea element's value property and read back as text. This handles all named entities ( , ©, €, —), numeric decimal entities ( ), and numeric hexadecimal entities (©) correctly and safely. No innerHTML assignment is used, so there is no risk of script execution when decoding content that contains <script> tags as entities.

Input limit

Input is capped at 100 KB. For larger documents, split the content into sections. All conversion happens synchronously in JavaScript — no background processing, no waiting.

Common use cases

Embedding user-generated content in HTML — A developer building a comment display system encodes user input before inserting it into an HTML template. Encoding < > & " ' to entities prevents the raw text from breaking the surrounding HTML structure or creating an XSS injection point in cases where the server-side escaping is bypassed or incomplete.
Preparing code snippets for documentation — A technical writer preparing HTML documentation that includes inline code examples with angle brackets encodes the code blocks so they render as visible characters rather than being interpreted as tags by the browser or CMS.
Debugging CMS entity double-encoding — A developer troubleshooting a CMS that is double-encoding entities (showing &amp;lt; instead of <) pastes the output into Decode mode twice in succession to trace where the extra encoding layer was introduced.
Email template HTML preparation — An email developer building an HTML email template encodes special characters in dynamic text fields before inserting them into the template body. Many email clients apply their own rendering rules that can misinterpret unencoded characters in attributes.

Frequently asked questions

When should I use HTML-safe only vs. All non-ASCII?

HTML-safe only encodes the five characters that break HTML structure (< > & " '). This is correct for the vast majority of use cases. Use All non-ASCII when the target system requires strict 7-bit ASCII output — for example, legacy email clients that do not support multi-byte characters, or XML parsers with strict encoding requirements.

Does this tool handle named entities like   and ©?

Yes, in Decode mode. The decoder uses the browser's native HTML parser, which resolves all named entities (including  , ©, €, —, and the full HTML5 named character reference list) correctly. Encode mode only produces named entities for the five HTML-structural characters and numeric entities for everything else.

Is it safe to decode content that contains <script> tags?

Yes. The decoder uses a textarea element trick (assigning the encoded string to textarea.value and reading back the plain text) rather than innerHTML assignment. The browser performs entity resolution without parsing or executing any HTML, so encoded script tags decode to plain text, not executable code.

Does this tool send my content to a server?

No. All encoding and decoding runs in JavaScript entirely within your browser. Nothing is uploaded or stored. You can encode sensitive content — API keys, passwords, private documents — without any data leaving your device.

What is the input size limit?

Input is capped at 100 KB (approximately 100,000 characters). For larger documents, split the content into sections and encode each section separately.

Keep going

More developer tools

LiveDeveloper

Base64 Encoder / Decoder

Encode binary or file content as Base64 for safe transport in data URIs, API payloads, or email templates — the encoding complement to HTML entity conversion.

Open tool

LiveDeveloper

URL Encoder / Decoder

Percent-encode URLs and query string values — use alongside HTML entity encoding when building safe links inside HTML attributes.

Open tool

LiveDeveloper

Binary Translator

Translate text to binary and back — covers the ASCII range that HTML-safe encoding also protects, useful for understanding character encoding at the byte level.

Open tool

LiveDeveloper

JSON Formatter & Validator

Format and validate JSON that may contain encoded HTML entities — confirm structure and entity values are correct before embedding in API responses or documentation.

Open tool