HTML Encoder / Decoder

Encode special characters to HTML entities and decode HTML entities back to readable text.

How It Works

Paste your text or HTML into the input area. Click Encode to convert special characters like <, >, &, and " to their HTML entity equivalents. Click Decode to convert HTML entities back to plain characters.

HTML encoding converts special characters into HTML entities — safe representations that browsers render correctly without interpreting them as markup. This is essential for displaying code examples, preventing XSS vulnerabilities, and storing user-generated content safely.

**Why HTML Encoding Matters**

When building web applications, any content that will be displayed in a browser must be HTML-encoded if it contains characters that have special meaning in HTML. The most critical characters are `<`, `>`, `&`, `"`, and `'`. Without encoding, these characters can break your HTML structure or — more dangerously — create cross-site scripting (XSS) vulnerabilities.

**Common HTML Entities**

| Character | HTML Entity | Decimal | Hexadecimal |
|-----------|-------------|---------|-------------|
| `<` | `&lt;` | `&#60;` | `&#x3C;` |
| `>` | `&gt;` | `&#62;` | `&#x3E;` |
| `&` | `&amp;` | `&#38;` | `&#x26;` |
| `"` | `&quot;` | `&#34;` | `&#x22;` |
| `'` | `&apos;` | `&#39;` | `&#x27;` |
| ` ` | `&nbsp;` | `&#160;` | non-breaking space |

**XSS Prevention**

Cross-site scripting (XSS) is one of the most common web vulnerabilities. It occurs when user input containing `<script>` tags or event handlers is rendered directly in HTML without encoding. Always encode user input before displaying it in the browser.

**Use Cases**

- Displaying code snippets on web pages without them being interpreted as HTML
- Storing and retrieving user-generated content safely
- Preparing content for HTML emails
- Debugging HTML rendering issues
- Learning HTML entity syntax

**Numeric vs Named Entities**

HTML entities can be written as named references (`&lt;`), decimal numeric references (`&#60;`), or hexadecimal references (`&#x3C;`). Named entities are more readable; numeric entities work for any Unicode character.

**Privacy**

All processing happens in your browser. No content is sent to our servers.

Frequently Asked Questions

HTML entities are special codes that represent characters that have meaning in HTML markup. For example, &lt; represents the less-than sign <, preventing the browser from treating it as a tag.
To prevent XSS (Cross-Site Scripting) attacks and to correctly display characters that would otherwise be interpreted as HTML markup. Always encode user input before displaying it.
& is the ampersand character. &amp; is its HTML-encoded form. Use &amp; inside HTML attributes and content so browsers display it correctly.
Yes. Any Unicode character can be represented as a numeric HTML entity (&#decimal; or &#xhex;). Only a limited set of named entities exist, but all characters have numeric forms.
No. HTML encoding prevents XSS in the browser. SQL injection requires parameterized queries or prepared statements — a completely different security measure.