ENCODER · ESCAPE / UNESCAPE · INSTANT

HTML Entity Encoder & Decoder

Escape text so it displays literally in HTML — < becomes &lt; — or decode entity-filled text back to readable characters. Handles named entities, numeric codes, and optionally all non-ASCII characters.

The five that matter: &&amp;, <&lt;, >&gt;, "&quot;, '&#39;. Escaping these is what stops user text from being interpreted as markup — the foundation of XSS prevention when displaying untrusted content.

Infographic: HTML escaping — raw script tags execute; entity-encoded ones display as text. Five characters carry the risk: & < > quote apostrophe
Displayed, not executed — five entities stand between user input and XSS.

When you need entity encoding

Three everyday cases: displaying code snippets on a web page (every < in the sample must become &lt; or the browser treats it as a tag); putting user-supplied text into HTML safely (unescaped input is the classic XSS vector); and fixing double-encoded messes like &amp;amp; that appear when text gets escaped twice through a CMS pipeline — decode repeatedly until it stabilizes. The decoder here understands 40+ named entities plus all numeric (&#233;) and hex (&#xE9;) forms.

Frequently asked questions

Why does & need to be encoded first?

Because & starts every entity — if you encoded < to &lt; and then encoded &, you'd corrupt your own output into &amp;lt;. Encode & first (this tool does), and decode it last, for the same reason.

What's the difference between &#233; and &#xE9;?

The same character (é) referenced by decimal versus hexadecimal code point. Both are valid HTML; the decoder here accepts both, and the encoder emits decimal for predictability.

Do I still need entities for é and other accents in modern HTML?

Usually not — with <meta charset="UTF-8"> (universal now), raw accented characters, Hindi, and emoji work directly. Entities remain useful for the five structural characters, for content passing through ASCII-only systems (some email pipelines), and for making invisible characters like &nbsp; explicit.

Is encoding entities enough to prevent XSS?

It's the correct defense for one context: inserting text into HTML content. Other contexts need their own escaping — URLs need percent-encoding, JavaScript strings need JS escaping, attributes need quoting plus entity encoding. Encoding for the wrong context is how escaped-but-still-vulnerable bugs happen.

Related free tools

ENCODER

Base64 Encoder

A different escape mechanism for binary-safe transport.

EDITOR

Markdown Editor

Write content that compiles to clean HTML.