HTML Entity Encoder & Decoder
Escape text so it displays literally in HTML — < becomes < — or decode entity-filled text back to readable characters. Handles named entities, numeric codes, and optionally all non-ASCII characters.
The five that matter: & → &, < → <, > → >, " → ", ' → '. Escaping these is what stops user text from being interpreted as markup — the foundation of XSS prevention when displaying untrusted content.
When you need entity encoding
Three everyday cases: displaying code snippets on a web page (every < in the sample must become < or the browser treats it as a tag); putting user-supplied text into HTML safely (unescaped input is the classic XSS vector); and fixing double-encoded messes like &amp; that appear when text gets escaped twice through a CMS pipeline — decode repeatedly until it stabilizes. The decoder here understands 40+ named entities plus all numeric (é) and hex (é) forms.
Frequently asked questions
Why does & need to be encoded first?
Because & starts every entity — if you encoded < to < and then encoded &, you'd corrupt your own output into &lt;. Encode & first (this tool does), and decode it last, for the same reason.
What's the difference between é and é?
The same character (é) referenced by decimal versus hexadecimal code point. Both are valid HTML; the decoder here accepts both, and the encoder emits decimal for predictability.
Do I still need entities for é and other accents in modern HTML?
Usually not — with <meta charset="UTF-8"> (universal now), raw accented characters, Hindi, and emoji work directly. Entities remain useful for the five structural characters, for content passing through ASCII-only systems (some email pipelines), and for making invisible characters like explicit.
Is encoding entities enough to prevent XSS?
It's the correct defense for one context: inserting text into HTML content. Other contexts need their own escaping — URLs need percent-encoding, JavaScript strings need JS escaping, attributes need quoting plus entity encoding. Encoding for the wrong context is how escaped-but-still-vulnerable bugs happen.