HTML Entity Encoder/Decoder
Convert special characters to and from HTML entities.
Examples
| Input | Result |
|---|---|
| <script>alert("xss")</script> | <script>alert("xss")</script> |
| Tom & Jerry | Tom & Jerry |
| Price: 5 < 10 > 3 | Price: 5 < 10 > 3 |
| © 2024 Acme Inc. | © 2024 Acme Inc. |
About this tool
HTML entities are a way to represent special characters in HTML source code. The most common ones are < for <, > for >, and & for &. Without encoding, these characters would be interpreted as HTML tags or syntax rather than displayed as text. This is both a correctness issue and a security concern, since unescaped user input is the root cause of XSS attacks.
This tool converts text to HTML entities and back. The encoder handles the five mandatory characters plus any non-ASCII characters you might want to represent as numeric entities. The decoder parses both named entities (like ©) and numeric entities (like © or ©) back into their original characters. This is useful when you are debugging HTML output, sanitizing content for display, or reading escaped text from an API response.
Frequently asked questions
Which characters must be escaped in HTML?
At minimum, you need to escape < (<), > (>), & (&), " ("), and ' ('). These five characters have special meaning in HTML and can break your markup or create XSS vulnerabilities if left unescaped.
What is the difference between named and numeric HTML entities?
Named entities like & are human-readable aliases. Numeric entities like & or & reference the Unicode code point directly. They produce the same result, but named entities are easier to read in source code.
Do I need to convert HTML entities when working with a framework like React or Vue?
Modern frameworks auto-escape text content in templates, so you generally do not need to manually encode entities. You only need to worry about it when inserting raw HTML via v-html or dangerouslySetInnerHTML.