Loading...

HTML Entity Encoder & Decoder Online — Escape HTML Safely

Convert any text to safe HTML by replacing characters like `<`, `>`, `&`, and `"` with their HTML entities — or decode entities back to the original characters. Use it to escape user content before rendering, prepare email templates, debug HTML payloads, or learn how named and numeric entities work. The converter runs entirely in your browser.

Features

  • Named & numeric entities

    Switch between named entities (`&amp;`, `&copy;`) and numeric ones (`&#38;`, `&#169;`).

  • Encode untrusted input

    Safely escape user-supplied content before injecting it into HTML templates.

  • Decode broken markup

    Paste HTML that has been escaped multiple times and recover the original text.

  • No server round-trip

    Everything runs locally — no upload, no tracking.

How to escape HTML entities online

Encode or decode HTML entities in three steps.

  1. Choose directionPick Encode (raw → entities) or Decode (entities → raw).
  2. Pick the formatDecide whether the encoded output uses named entities, numeric entities, or hexadecimal numeric entities.
  3. Paste your inputDrop the text or HTML into the input box. The result appears instantly.
  4. Copy the outputUse the copy button to paste the encoded HTML into your template or CMS.

Examples

Escape user-supplied text

Input
<script>alert("xss")</script>
Output
&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;

Decode numeric entities

Input
Caf&#233; &amp; Bistro
Output
Café & Bistro

Frequently Asked Questions

When should I HTML-escape text?
Always escape any value coming from outside your codebase — user input, query strings, third-party APIs — before injecting it into HTML. Failing to escape is the root cause of most XSS vulnerabilities.
What is the difference between named and numeric entities?
Named entities (`&amp;`, `&lt;`) are easier to read. Numeric entities (`&#38;`, `&#x3C;`) work for every Unicode character, including those without a defined name.
Does this tool escape every character?
By default it escapes the HTML-sensitive characters `<`, `>`, `&`, `"`, and `\'`. A "full" mode escapes every non-ASCII character for maximum portability.
Can I use this for XML?
Yes. The five HTML predefined entities (`amp`, `lt`, `gt`, `quot`, `apos`) are also the XML predefined entities, so escaped output is valid in XML documents.
Is my input sent to a server?
No. Encoding and decoding happen locally in your browser.