HTML Entities Encoder & Decoder

Escape special characters into safe HTML entities — or decode named and numeric entities back to plain text — instantly.

🔒 Runs entirely in your browser

How it works

Browsers treat characters like <, > and & as markup. To show them as literal text — or to keep your HTML valid — those characters must be written as entities.

1

Pick a mode

Choose Encode to turn text into HTML-safe entities, or Decode to turn entities back into readable text.

2

Type or paste

Your result updates live as you type — no button to press. An ampersand becomes &amp;, a less-than sign becomes &lt;.

3

Copy it

Hit Copy to grab the result and drop it straight into your HTML, template or CMS.

Named or numeric entities?

Encoding always escapes the five markup-sensitive characters as named entities — &amp;, &lt;, &gt;, &quot; and &#39; (the apostrophe). With the option enabled, every non-ASCII character (accented letters, symbols, emoji) is also written as a numeric entity like &#233;, which is the most portable form across old email clients and legacy encodings.

How does decoding work?

Decoding is handed to the browser's own HTML parser, so it understands the full set of named entities (&copy;, &mdash;, &hearts; and hundreds more) as well as decimal (&#169;) and hexadecimal (&#xA9;) references — exactly the way a real web page would render them.

🔒

Private by design. Everything happens right here in your browser. Nothing you type is ever uploaded — we never see it.

Frequently Asked Questions

What are HTML entities and why do I need them?
Browsers treat characters like <, > and & as markup. To show them as literal text — or to keep your HTML valid — those characters must be written as entities such as &lt;.
What's the difference between named and numeric entities?
Named entities use words, like &amp; for an ampersand. Numeric entities use a code number, like &#233; for é. Numeric entities are the most portable form across older email clients and legacy encodings.
Which characters get encoded?
The five markup-sensitive characters — &, <, >, quotes and apostrophes — are always escaped. With the extra option on, accented letters, symbols and emoji are also written as numeric entities.
Can it decode entities back to plain text?
Yes. Decoding understands the full set of named entities plus decimal and hexadecimal references, turning them back into the exact characters a real web page would show.
Does this protect against cross-site scripting?
Encoding user text before putting it in a page is one important step, but full protection depends on where and how you insert it. Treat this as a handy helper, not a complete security solution.
Is my text uploaded anywhere?
No. Everything happens entirely in your browser on your own device. Nothing you type is ever uploaded, and we never see it.