HTML Entity Encoder & Decoder

When you display text inside a webpage, some characters have a special meaning in HTML. The less-than sign, the greater-than sign, and the ampersand all tell the browser to treat what follows as HTML code. If your text contains these characters, you need to encode them so the browser shows them as text rather than treating them as code. This tool converts any text to HTML-safe entities in one click, or decodes entities back to plain text. It is essential for web developers displaying user content safely.



Frequently Asked Questions

What are HTML entities?

HTML entities are special codes used to display characters that have meaning in HTML. For example, the less-than sign < opens a tag, so to show it as text you write &lt; instead. Entities start with an ampersand and end with a semicolon.

Why do I need to encode HTML characters?

Displaying user-submitted text without encoding it can allow malicious users to inject HTML or JavaScript into your page. This is called Cross-Site Scripting (XSS). Encoding converts dangerous characters into safe display-only entities.

What is the HTML entity for a space?

A regular space is just a space in HTML. A non-breaking space, which prevents a line break between words, is &nbsp; — it is commonly used in page layouts to control spacing and prevent text from wrapping at unwanted points.

What is the difference between named and numeric HTML entities?

Named entities use a word like &amp; or &copy; and are easier to read. Numeric entities use a number like &#38; for the same character. Both work identically in the browser. Not all characters have named versions, but all have numeric ones.

Does this tool handle all Unicode characters?

This tool encodes the standard HTML special characters that must be escaped for safe display. It does not convert every Unicode character to a numeric entity. For most web use cases, encoding the five core characters (ampersand, quotes, angle brackets) is all that is needed.

What are the five most important HTML entities to know?

The five critical entities are: &amp; for the ampersand (&), &lt; for less-than (<), &gt; for greater-than (>), &quot; for double quotes ("), and &apos; for single quotes. These five characters have special meaning in HTML markup and must be escaped whenever they appear as literal content rather than HTML syntax.

What is XSS and how do HTML entities prevent it?

Cross-Site Scripting (XSS) is an attack where malicious JavaScript is injected into a webpage through user input. If a user types <script>alert('hacked')</script> and your app outputs it raw, the browser executes it. Encoding the input to &lt;script&gt; makes the browser display it as text, not execute it. Always encode user input before inserting it into HTML.

What is &nbsp; and when should I use it?

&nbsp; is the non-breaking space entity. Unlike a regular space, it prevents the browser from line-wrapping at that point and from collapsing multiple spaces into one. It is useful for keeping two words together (like a name or a number with its unit), adding visual spacing in HTML without CSS, or preventing an empty table cell from collapsing in older browsers.

How It Works

This tool replaces each special character with its named HTML entity using a character-by-character substitution pass in JavaScript. The five core substitutions are: & to &amp;, < to &lt;, > to &gt;, " to &quot;, and ' to &apos;. Decoding reverses these replacements. All processing runs in your browser — nothing is sent to a server.

XSS Prevention

HTML entity encoding is the primary defense against Cross-Site Scripting (XSS). When user input is encoded before being inserted into an HTML page, the browser treats it as display text rather than executable markup. Every web framework has a built-in escaping function — always use it, never insert raw user input into HTML.

Named vs Numeric Entities

Named entities like &amp; are human-readable. Numeric entities like &#38; use the Unicode code point directly. Both work identically in browsers. Numeric entities work for any Unicode character — if you need to encode an emoji or a rare symbol, the numeric form &#[codepoint]; is always available even if there is no named entity.

When to Use This

Use when pasting code samples into a blog post or CMS that interprets HTML, when building an email newsletter that will be displayed in HTML-based email clients, when inserting special characters into an XML or SVG file, or when you need to safely display user-generated content in a template without risking XSS.

More Free Tools

🔒

Hash Generator

Generate SHA-256, SHA-1, and SHA-512 cryptographic hashes from any text.

🌟

Golden Ratio Generator

Enter any dimension and instantly calculate its golden ratio counterpart, Fibonacci sequence, and typographic scale.

QR Code Generator

Generate QR codes for URLs, text, email, phone, WiFi, and vCards. Download as PNG or SVG with custom colors.

📦

Tracking Number Generator

Generate realistic fake tracking numbers for UPS, FedEx, USPS, DHL, and Amazon with check digit breakdown.

View all tools →