HTML Entity Encoder & Decoder Online — Escape HTML Safely
Convert any text to safe HTML by replacing characters like `<`, `>`, `&`, and `"` with their HTML entities — or decode entities back to the original characters. Use it to escape user content before rendering, prepare email templates, debug HTML payloads, or learn how named and numeric entities work. The converter runs entirely in your browser.
Features
Named & numeric entities
Switch between named entities (`&`, `©`) and numeric ones (`&`, `©`).
Encode untrusted input
Safely escape user-supplied content before injecting it into HTML templates.
Decode broken markup
Paste HTML that has been escaped multiple times and recover the original text.
No server round-trip
Everything runs locally — no upload, no tracking.
How to escape HTML entities online
Encode or decode HTML entities in three steps.
- Choose directionPick Encode (raw → entities) or Decode (entities → raw).
- Pick the formatDecide whether the encoded output uses named entities, numeric entities, or hexadecimal numeric entities.
- Paste your inputDrop the text or HTML into the input box. The result appears instantly.
- Copy the outputUse the copy button to paste the encoded HTML into your template or CMS.
Examples
Escape user-supplied text
Input
<script>alert("xss")</script>Output
<script>alert("xss")</script>
Decode numeric entities
Input
Café & Bistro
Output
Café & Bistro
Frequently Asked Questions
- When should I HTML-escape text?
- Always escape any value coming from outside your codebase — user input, query strings, third-party APIs — before injecting it into HTML. Failing to escape is the root cause of most XSS vulnerabilities.
- What is the difference between named and numeric entities?
- Named entities (`&`, `<`) are easier to read. Numeric entities (`&`, `<`) work for every Unicode character, including those without a defined name.
- Does this tool escape every character?
- By default it escapes the HTML-sensitive characters `<`, `>`, `&`, `"`, and `\'`. A "full" mode escapes every non-ASCII character for maximum portability.
- Can I use this for XML?
- Yes. The five HTML predefined entities (`amp`, `lt`, `gt`, `quot`, `apos`) are also the XML predefined entities, so escaped output is valid in XML documents.
- Is my input sent to a server?
- No. Encoding and decoding happen locally in your browser.