HTML Entity Encoder & Decoder

What HTML entities are for

HTML entities are escape sequences that let you put characters into HTML without the browser interpreting them as markup. The classic example: if you want to display the literal text <div> on a page, you cannot write <div> in your source — the browser would parse that as a tag. You write <div> and the browser renders it as four literal characters.

Entities come in two flavors: named (like &, ©) and numeric (decimal like © or hex like ©). Every named entity has an equivalent numeric form. HTML5 defines about 2,000 named entities but only a handful are commonly used.

The five characters you must escape

In HTML, only five characters are dangerous if left unescaped in text content or attributes:

• & → & (ampersand — starts an entity, must be escaped first)
• < → < (less-than — starts a tag)
• > → > (greater-than — ends a tag; optional in text, required in attributes for safety)
• " → " (double quote — closes an attribute value)
• ' → ' (single quote / apostrophe — closes a single-quoted attribute value)

Note the apostrophe uses the numeric form ' rather than '. That's because ' is an XML entity, not an HTML4 one — it works in modern browsers that support HTML5 but breaks in older ones. The numeric form works everywhere.

If your page is UTF-8 encoded (it should be in 2025), these five are the only characters you need to escape. Unicode characters like €, ü, → can go directly in your source with no encoding at all.

The three encoding modes

Minimal (recommended)

Escapes only the 5 dangerous characters. Leaves all Unicode intact. This is what you want for UTF-8 web pages — your source stays readable, your file size stays small, and the browser renders everything correctly.

input:  She said "hello" & waved — 5°C outside
output: She said "hello" & waved — 5°C outside

All non-ASCII (named where available)

Escapes the 5 dangerous characters plus every non-ASCII character, using a named entity when one exists (like ©, €, —) and a numeric entity otherwise. Useful for legacy CMS templates that are not UTF-8 safe, or when you need the output to be pure ASCII.

input:  She said "hello" & waved — 5°C outside
output: She said "hello" & waved — 5°C outside

All non-ASCII (numeric only)

Escapes the 5 dangerous characters plus every non-ASCII character, always using numeric entities (like ©). Most compatible — numeric entities are part of the earliest HTML specifications and work in everything. Use when the consuming system might not recognize named entities like €.

input:  She said "hello" & waved — 5°C outside
output: She said "hello" & waved — 5°C outside

How to use this tool

1. Pick a direction: Encode (text → HTML) or Decode (HTML → text)
2. For encode, pick a scope: minimal / all-named / all-numeric
3. Paste your input on the left — the output updates live
4. Click Swap sides to flip direction and move the current output into the input (useful for round-trip testing)
5. Click Sample to load a representative example for the current direction
6. Click Copy to put the output on your clipboard

Decoding uses the browser's own parser

For decoding, this tool uses the browser's DOMParser to resolve entities. That means every valid HTML5 entity is supported — all ~2,000 of them, plus numeric entities in both decimal and hex. Custom regex-based decoders miss obscure entities and mishandle edge cases like &notit; (which HTML5 treats as a semicolon-less partial parse). Using the real parser gives you the behavior real browsers have, which is what you want.

Security: when to encode vs when to trust your framework

Cross-site scripting (XSS) happens when user-controlled content is inserted into HTML without escaping. A malicious user enters <script>alert(1)</script> as their display name, your template renders it directly, and suddenly everyone who visits that page runs the attacker's code.

Modern frameworks handle this for you when used correctly:

• React, Vue, Svelte, Angular: automatic HTML escaping on all text interpolation. You only become vulnerable if you explicitly opt out ( dangerouslySetInnerHTML, v-html, @html, [innerHTML])
• Server-side templating (Jinja, ERB, Handlebars, Liquid): usually auto-escapes, but check your config. Old raw-string templates ( {{{ }}}, |raw) bypass escaping
• Hand-written HTML concatenation: always dangerous. If you ever write html += userInput, escape first

This tool is for the cases where you need to escape manually: generating static HTML from a script, preparing content for a CMS that does not auto-escape, or encoding a code example for display inside a documentation page.

Common pitfalls

• Escaping in the wrong order: always escape & first. If you escape < first, you turn it into <, and then the &-escape step turns it into <, which renders as the literal text < instead of <. This tool handles the order correctly
• Double-encoding: running already-encoded HTML through the encoder again, turning & into &. Decode first, then re-encode if needed
• Using entities in URLs: HTML entities are for HTML text and attributes. For URLs, use percent-encoding via the URL Encoder. The two schemes are not interchangeable
• Forgetting that attributes need quote escaping: it is not enough to escape < and >. If your attribute value can contain a " or ', escape those too, or the attribute terminates early and everything after it becomes new attributes (an XSS vector). Minimal mode escapes all five
• Non-breaking space confusion: the   entity is nota regular space — it is a different Unicode codepoint (U+00A0). Search/replace will miss it, copy/paste preserves it, and word counters often get it wrong. Useful for preventing line breaks, but don't sprinkle it around for spacing

Privacy

Encoding runs entirely in your browser (JavaScript string manipulation), and decoding uses the browser's native DOMParser. Nothing is sent to a server — safe for internal HTML, private content, and pre-release copy.

Frequently asked questions

Why does apostrophe encode to ' instead of '?

'is an XML entity, not HTML4. It was only added to HTML in HTML5, so older parsers and some legacy systems don't recognize it. The numeric form ' works everywhere and has worked since HTML 2.0 (1995). Using it is the safe default.

Do I need to escape non-ASCII characters?

For a UTF-8 page (the modern default), no — just put <meta charset="utf-8"> in your head and write characters directly. Escape them only if (a) your output target is not UTF-8, (b) you need ASCII-only output for legacy tools, or (c) you want to use entity names for self-documenting code.

How is this different from URL encoding?

HTML entities are for text inside HTML documents (body content, attributes). URL encoding (percent encoding) is for characters inside URLs. Use the URL Encoder for URLs. The two schemes overlap but are NOT interchangeable — they produce completely different output for the same input.

Can I decode hex entities like ™?

Yes. The decoder uses the browser's DOMParser, which resolves both decimal ( ™) and hex ( ™) numeric forms, plus every named entity in HTML5.

Does this tool escape characters for safe JSON output?

No — JSON has its own escaping rules. Use JSON.stringify() for JSON. HTML entity encoding is for HTML only.

Is my data sent anywhere?

No. Encoding is pure JavaScript string manipulation, decoding uses the browser's native DOMParser. No network calls, no analytics on the content you encode.