All tools
Development tools

HTML Entity Encoder/Decoder

Encode text to HTML entities to prevent XSS, or decode entities back to plain text — supports named, decimal and hex entity formats.

Named entities Numeric entities Hex entities Decode back XSS-safe Copy output
Get started free Sign in

Free · No credit card · 50 credits/day

Common HTML entities reference

Character Named Numeric Use case
& & & Ampersand in text
< &lt; &#60; Less-than / opening tag
> &gt; &#62; Greater-than / closing tag
" &quot; &#34; Double quote in attribute values
' &apos; &#39; Single quote in attribute values
&nbsp; &#160; Non-breaking space
© &copy; &#169; Copyright symbol
® &reg; &#174; Registered trademark
&trade; &#8482; Trademark symbol
&mdash; &#8212; Em dash (longer dash)

Frequently asked questions

Why do we need HTML entities?

HTML entities represent characters that have special meaning in HTML. The five critical ones: &amp; (&), &lt; (<), &gt; (>), &quot; ("), &apos; ('). Without encoding, user-supplied text containing < or > would be interpreted as HTML tags, enabling XSS attacks. Entities also display special characters like © and — not on standard keyboards.

What is the difference between named and numeric HTML entities?

Named entities use a mnemonic: &amp; for &, &copy; for ©. Numeric entities use the Unicode code point in decimal (&#38; for &) or hex (&#x26;). Named entities are more readable; numeric entities work for any Unicode character. Both are equivalent and all modern browsers support both.

What is the difference between HTML entity encoding and URL encoding?

HTML entity encoding is for text inside HTML documents — escaping characters that have special meaning in HTML. URL encoding (percent-encoding) is for text inside URLs — encoding characters not allowed in URLs (spaces become %20). They are completely different contexts: use HTML encoding inside HTML, URL encoding inside URLs.

Does HTML entity encoding prevent XSS?

HTML entity encoding prevents XSS when applied correctly in the right context. Encoding < to &lt; in HTML body content prevents script injection. Context matters: encoding is different for HTML attributes, JavaScript strings, CSS values, and URLs. A full XSS prevention strategy requires context-aware encoding.

Related dev tools

More encoding and escaping tools.

URL Encoder/Decoder

Percent-encode and decode URL components — a different encoding context to HTML entities.

HTML Formatter

Beautify HTML code — useful alongside entity encoding for readable HTML output.

Regex Tester

Test regex patterns for finding and replacing HTML entity patterns.

Encode HTML entities safely

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →