HTML Entity Encode & Decode

1. Select Encode or Decode mode.
2. Paste your HTML text in the input area.
3. The result appears instantly.
4. Click "Copy" to copy the result.

What are HTML Entities?

HTML entities are special character sequences that represent characters which have reserved meaning in HTML markup. Characters like <, >, &, and " are interpreted by browsers as HTML tags or attribute delimiters. To display these characters as literal text on a web page, they must be replaced with their entity equivalents. For example, < becomes <, and & becomes &. HTML entities also allow you to insert characters that are not easily typed on a keyboard, such as copyright symbols, accented letters, and mathematical operators.

How HTML Entity Encoding Works

HTML defines two types of entity references. Named entities use a human-readable label like & for the ampersand or © for the copyright symbol. Numeric entities use the character's Unicode code point in decimal (&) or hexadecimal (&) form. Every entity begins with an ampersand and ends with a semicolon. When a browser encounters an entity, it replaces it with the corresponding character during rendering. Decoding reverses this process, converting entity references back into their original characters.

Common Use Cases

• Preventing XSS (Cross-Site Scripting) attacks by sanitizing user input
• Displaying HTML code snippets within web pages
• Inserting special characters like ©, ™, €, and £ symbols
• Embedding content inside HTML attributes without breaking the markup
• Preparing content for CMS platforms that require entity-encoded input
• Converting HTML content for use in email templates

HTML Entities and XSS Prevention

Cross-Site Scripting (XSS) is one of the most common web security vulnerabilities. It occurs when an application includes untrusted user input in its HTML output without proper encoding. An attacker could submit text containing <script> tags, and if the application renders it directly, the browser will execute the injected JavaScript. Encoding HTML entities is a critical layer of defense against XSS. By converting < to < and > to >, you ensure the browser displays the text rather than interpreting it as executable code.

However, HTML entity encoding alone is not sufficient for complete XSS protection. You also need to encode content differently depending on the context: HTML attributes, JavaScript strings, CSS values, and URLs each require their own encoding rules. Modern frameworks like React, Angular, and Vue handle most of this automatically by escaping output by default, but understanding the underlying mechanism is still essential for any web developer working with raw HTML or server-side rendering.

For escaping XML-specific characters, use our XML Escape Tool. To encode binary data for text-based transmission, try the Base64 Encoder. You can also encode special characters in URLs with the URL Encoder/Decoder.