HTML entity encode / decode
ClientTurn plain text into HTML-safe entities, or expand entities back to characters—useful for snippets, templates, and CMS fields. Runs entirely in your browser.
Using this page
Choose encode when you need to paste literal angle brackets, ampersands, or quotes inside HTML without the browser treating them as markup. Choose decode when you copied entity-heavy HTML or XML text and want readable characters for editing. This is not a full HTML sanitizer—pair with your framework’s escaping rules for untrusted input.
For URL or Base64 text (not HTML entities), use the Encoding workspace. For Unicode escapes inside JSON strings, use JSON string helpers. For rendered HTML fragments and meta lines, Markdown preview and Open Graph preview cover neighboring workflows.
How it works
?
Encode turns &, <, >, and quotes into entity form so text is safe inside HTML.
Decode expands common named and numeric references (e.g. &, ©) using the browser—runs locally in your tab.
Encode and decode replace the editor above; use Copy when you are done.
Nearby workflows on Toolcore
- Unicode escapes — for \u sequences in source files beside percent-encoding.
- Markdown preview — to preview rendered HTML after entities expand.
Common use cases
- Escape user-facing snippets before placing them into HTML templates.
- Decode entity-heavy content copied from CMS editors or emails.
- Verify named and numeric entities when cleaning imported markup text.
- Prepare examples for docs or tickets where you must show raw tags without executing them in a rich editor.
Common mistakes to avoid
Escaping content multiple times
Double encoding creates unreadable output like &amp;. Encode once at the right rendering boundary.
Decoding untrusted text too early
Decode only where needed. Premature decoding can reintroduce unsafe characters into rendering pipelines.
Assuming all entities are named
Some sources use numeric entities. Ensure your decode step handles both named and numeric forms.
FAQ
When should I encode HTML entities?
Encode when inserting plain text into HTML contexts so symbols like angle brackets and quotes are treated as content, not markup.
Why does decoded text look different from source code?
Decoded text turns entities back into literal characters. That is expected when moving from safe markup representation to readable text.
Is entity conversion performed server-side?
No. Encode and decode operations on this page run in your browser.
Does encoding here prevent XSS in my app?
It helps you produce escaped text, but security depends on where and how you render. Always use your framework’s contextual escaping, Content-Security-Policy, and trusted types—do not rely on a single manual encode step for untrusted input.
Common search terms
Phrases people search for that match this tool. See the full long-tail keyword index.
- html entity encoder
- html entity decoder online
- escape html ampersand quotes
More tools
Related utilities you can open in another tab—mostly client-side.
Encoding tools
ClientHub index: Base64 & URL, Base64url, Base32, Crockford, LEB128, ASCII85, Z85, Base58, base-36, bencode, Morse, quoted-printable, URI, Punycode/IDN, Unicode escapes, data URLs, MIME, hex, HTML entities, JWT, JSON helpers, crypto.
Compress & minify
ClientHTML, JS, CSS, XML, SQL, JSON minify; batch JPEG/WebP image compression.
JSON formatter
ClientJSON format online: pretty-print, minify, validate, escape, download .json.
Subresource Integrity (SRI)
ClientSHA-256/384/512 base64 integrity tokens for script and link tags—UTF-8 paste or local file; Web Crypto only.