HTML Encoder / Decoder
Encode special characters to HTML entities and decode HTML entities back to readable text.
How It Works
Paste your text or HTML into the input area. Click Encode to convert special characters like <, >, &, and " to their HTML entity equivalents. Click Decode to convert HTML entities back to plain characters.
HTML encoding converts special characters into HTML entities — safe representations that browsers render correctly without interpreting them as markup. This is essential for displaying code examples, preventing XSS vulnerabilities, and storing user-generated content safely.
**Why HTML Encoding Matters**
When building web applications, any content that will be displayed in a browser must be HTML-encoded if it contains characters that have special meaning in HTML. The most critical characters are `<`, `>`, `&`, `"`, and `'`. Without encoding, these characters can break your HTML structure or — more dangerously — create cross-site scripting (XSS) vulnerabilities.
**Common HTML Entities**
| Character | HTML Entity | Decimal | Hexadecimal |
|-----------|-------------|---------|-------------|
| `<` | `<` | `<` | `<` |
| `>` | `>` | `>` | `>` |
| `&` | `&` | `&` | `&` |
| `"` | `"` | `"` | `"` |
| `'` | `'` | `'` | `'` |
| ` ` | ` ` | ` ` | non-breaking space |
**XSS Prevention**
Cross-site scripting (XSS) is one of the most common web vulnerabilities. It occurs when user input containing `<script>` tags or event handlers is rendered directly in HTML without encoding. Always encode user input before displaying it in the browser.
**Use Cases**
- Displaying code snippets on web pages without them being interpreted as HTML
- Storing and retrieving user-generated content safely
- Preparing content for HTML emails
- Debugging HTML rendering issues
- Learning HTML entity syntax
**Numeric vs Named Entities**
HTML entities can be written as named references (`<`), decimal numeric references (`<`), or hexadecimal references (`<`). Named entities are more readable; numeric entities work for any Unicode character.
**Privacy**
All processing happens in your browser. No content is sent to our servers.