HTML Entity Encoder / Decoder
Escape text to HTML entities, or decode entities back to characters.
About HTML Entity Encoder / Decoder
HTML Entity Encoder / Decoder either escapes characters that have special meaning in HTML into their entity form, or resolves entities back into the underlying characters. Encoding lets you safely drop arbitrary text — a user comment, an error message containing < or & — into an HTML page without breaking the markup or opening an injection hole. Decoding turns escaped HTML back into the plain text a human would read.
Worked example: the string '<p>Tom & Jerry</p>' encodes to '<p>Tom & Jerry</p>', which a browser renders exactly as that literal text rather than parsing it as a paragraph. Going the other way, '© 2026 — Mello' decodes to '© 2026 — Mello'. The five HTML-unsafe characters — & < > " ' — are always handled; non-ASCII characters can optionally be encoded too.
Two switches control the output. Named vs numeric entities chooses between the readable form (©, &) and the universal form (©, &) — named entities are friendlier in source, numeric ones work everywhere regardless of the document's entity set or DOCTYPE. Minimal vs all controls how much is escaped: minimal only touches the five unsafe characters, while all also escapes every non-ASCII character (useful when you cannot rely on the document being UTF-8). One thing to remember: escaping for HTML body content is not the same as escaping for an HTML attribute, a URL, or a JavaScript string — context-appropriate encoding is what actually prevents XSS.
Encoding and decoding both run in your browser, using the native HTML parser for decoding so every standard named entity is resolved. Drafts and unpublished copy are never uploaded.