HTML Entity Encoder & Decoder
Encode raw HTML into safe entity-escaped text (& < >) or decode HTML entities back to plain text. Runs entirely in your browser — nothing is sent to any server.
Encode HTML Entities
Decode HTML Entities
Common HTML Entity Reference
| Character | Entity | Description |
|---|---|---|
| & | & | Ampersand |
| < | < | Less-than |
| > | > | Greater-than |
| " | " | Double quote |
| ' | ' | Single quote |
| | Non-breaking space | |
| © | © | Copyright |
| ® | ® | Registered trademark |
| ™ | ™ | Trademark |
| € | € | Euro sign |
How to Use the HTML Entity Encoder & Decoder
The Encode panel converts raw HTML or text containing special characters into their HTML entity equivalents. The Decode panel reverses the process, converting entity-escaped text back to its original form. Both panels update in real-time as you type.
The 5 Essential HTML Characters to Encode
HTML has five characters that must always be encoded when they appear as content (not markup):
| Character | Entity | Why Encode? |
|---|---|---|
| & | & | Start of every HTML entity — must be escaped first |
| < | < | Interpreted as start of a tag by all browsers |
| > | > | Interpreted as end of a tag; less critical but required |
| " | " | Must be escaped inside double-quoted attribute values |
| ' | ' | Must be escaped inside single-quoted attribute values |
HTML Encoding for Security (XSS Prevention)
Cross-Site Scripting (XSS) is the most common web security vulnerability, and improper HTML encoding is its root cause. If user-generated content is inserted into a page without encoding, an attacker can inject <script> tags or event handlers that steal cookies, redirect users, or perform actions on their behalf.
Always encode output when inserting untrusted data into:
- HTML element content (between tags)
- HTML attribute values
- JavaScript strings embedded in HTML
- CSS values embedded in HTML
- Server-rendered templates (Handlebars, Jinja, Blade, etc.)
Modern frameworks like React and Next.js escape HTML by default when rendering JSX. However, using dangerouslySetInnerHTML bypasses this protection and requires manual encoding.
HTML Entities in Structured Data (JSON-LD)
JSON-LD structured data embedded in <script type="application/ld+json"> tags does NOT need HTML encoding — JSON uses its own escaping (backslash sequences). However, if you embed JSON-LD inside an HTML attribute or use microdata instead, HTML encoding applies. This tool is particularly useful for encoding example markup in SEO documentation or blog posts where code blocks show raw HTML.
Decoding HTML Entities
The decode panel handles:
- Named entities:
& < > " © ® - Decimal numeric entities:
©→ © - Hexadecimal numeric entities:
©→ ©
Decoding is useful when parsing HTML from APIs, scraping content, or reading email source code where entities appear as raw text.
Frequently Asked Questions
What are HTML entities and why do they matter?
HTML entities are special codes used to represent characters that have special meaning in HTML (like < > &) or that cannot be typed directly. For example, < must be written as < inside HTML content, otherwise the browser interprets it as the start of a tag. Using HTML entities correctly prevents broken markup, cross-site scripting (XSS) vulnerabilities, and rendering errors.
When should I encode HTML in my website content?
You should HTML-encode any user-generated content, data from APIs, or text that will be inserted into HTML. This includes: content displayed in innerHTML, attribute values, JSON-LD structured data containing HTML, email bodies rendered as HTML, and code snippets shown in articles. Modern frameworks like React and Next.js escape HTML by default, but raw innerHTML assignments or server-rendered templates require manual encoding.
What is the difference between HTML encoding and URL encoding?
HTML encoding converts characters like <, >, & into HTML entities (<, >, &) for safe display in HTML documents. URL encoding converts characters into percent-encoded sequences (%3C, %3E, %26) for safe transmission in URLs. Both are needed in different contexts: use HTML encoding for content inside HTML, and URL encoding for query parameter values and URL paths.
Does this tool handle Unicode / emoji characters?
This tool encodes the five critical HTML characters (&, <, >, ", '). Unicode characters and emoji do not need to be entity-encoded in modern UTF-8 HTML documents — they can be included as literal characters as long as the page declares charset=UTF-8 in the meta tag. The decode panel also handles numeric entities ({ or {) and common named entities like © ®.
Related Tools
Need a Full Technical SEO Audit?
Our SEO experts audit your site's structured data, HTML markup, crawlability, and technical health to deliver a complete action plan.
Get a Free SEO Audit