HTML Entity Encoder / Decoder

The HTML Entity Encoder / Decoder converts characters to HTML entities and back. HTML uses certain characters as syntax — < and > delimit tags, & starts entities, " and ' delimit attribute values. If you want to display these characters as literal text inside an HTML page (for example, showing a code snippet, displaying a math expression, or rendering user-generated content), they must be escaped to their entity equivalents: < becomes &lt;, > becomes &gt;, & becomes &amp;, " becomes &quot;.

Escaping is also your first line of defense against cross-site scripting (XSS). When you insert untrusted text into a web page, failing to escape it lets an attacker inject <script> tags that execute in your visitors' browsers. Proper HTML escaping neutralizes those injections by turning < into &lt;, so the browser renders the text instead of executing it.

This tool escapes the five most important characters (<, >, &, ", ') which is sufficient for safe insertion into both HTML body content and attribute values. The decoder reverses the process, converting named entities like &lt; &gt; &amp; &quot; &#39; back to their characters. It also handles numeric entities like &#60; and &#x3C;.

The interface is bidirectional and live. Paste raw text to escape it, or paste entity-encoded text to decode. Everything runs locally in your browser — your snippets and code never leave your device.