webby.tools

HTML Entity Encoder / Decoder

Paste text to encode special characters as HTML entities (e.g. <&lt;), or paste HTML with entities to decode them back to readable text. Useful for displaying code in HTML, escaping user input, and debugging HTML output.

Encode Options

What Are HTML Entities?

HTML entities are special sequences used to represent characters that have a meaning in HTML markup or cannot otherwise be typed directly. They begin with an ampersand (&) and end with a semicolon (;). There are two forms:

  • Named entities&amp; for &, &lt; for <, &nbsp; for a non-breaking space, etc.
  • Numeric entities&#60; (decimal) or &#x3C; (hex) both represent <.

When you need to display a literal <script> tag on a webpage without the browser treating it as code, you encode it as &lt;script&gt;. This is also a fundamental security technique — encoding user-supplied content before rendering it in HTML prevents cross-site scripting (XSS) attacks.

When Should You Encode HTML Entities?

  • Displaying code snippets — Any time you show HTML or XML source code in a webpage, encode the markup characters.
  • User-generated content — Always encode text from untrusted sources before inserting it into an HTML document to prevent XSS.
  • Email templates — Some email clients require entities for special characters like &copy; (©) and &mdash; (—).
  • Attributes — Quotes and ampersands inside HTML attribute values must be encoded.

If you work with URLs rather than HTML markup, the URL encoder / decoder handles percent-encoding for query strings and path segments.

Common HTML Entities Reference

Character Entity Name Numeric Description
& &amp; &#38; Ampersand
< &lt; &#60; Less than
> &gt; &#62; Greater than
" &quot; &#34; Double quote
' &apos; &#39; Apostrophe
  &nbsp; &#160; Non-breaking space
© &copy; &#169; Copyright
® &reg; &#174; Registered trademark
&mdash; &#8212; Em dash
&ndash; &#8211; En dash

Frequently Asked Questions

What is the difference between minimal and full encoding?

Minimal encoding converts only the five characters that must be escaped in HTML: &, <, >, ", and '. This is safe for most use cases. Full encoding additionally converts all non-ASCII characters (accented letters, currency symbols, emoji, etc.) to numeric entities, which ensures compatibility with older systems or strict ASCII documents.

Does this tool handle &nbsp; and other named entities when decoding?

Yes. The decoder recognizes all standard named HTML entities including &nbsp;, &copy;, &mdash;, and hundreds more, as well as numeric decimal and hex entities.

Is encoding user input enough to prevent XSS?

HTML entity encoding is the primary defense for injecting text into HTML content. However, a complete XSS prevention strategy also requires context-aware encoding for JavaScript, CSS, and URL contexts, plus a strong Content Security Policy. This tool is meant for manual conversion — your web framework should handle encoding automatically in most cases.

Related Tools

Base64 Encoder / Decoder
Base64 Encoder / Decoder
Number to Words Converter
Number to Words Converter
PDF Text Extractor
PDF Text Extractor
Case Converter
Case Converter
Mock Data Generator
Mock Data Generator
Random Case Converter
Random Case Converter
Random Word Generator
Random Word Generator
Reverse String
Reverse String

This website may contain affiliate links. If you click on an affiliate link and make a purchase, we may receive a small commission at no additional cost to you.