How to Encode and Decode HTML Entities
To encode and decode HTML entities, use an online HTML entity converter that escapes special characters to their HTML entity equivalents and decodes them back. Our HTML Encode/Decode tool handles all named and numeric HTML entities instantly.
What Are HTML Entities?
HTML entities are special codes used to display reserved characters in HTML. They begin with an ampersand (&) and end with a semicolon (;).
Common HTML entities:
<represents<(less than)>represents>(greater than)&represents&(ampersand)"represents"(double quote)'represents'(single quote/apostrophe)
Entities can be named (&) or numeric (&). Both represent the same character.
Why HTML Encoding Matters
HTML encoding serves several critical purposes:
- XSS prevention — prevent cross-site scripting attacks by escaping user input
- Syntax safety — display code examples without breaking HTML structure
- Special character display — show characters like ©, ®, € that are not on standard keyboards
- Data integrity — ensure user-submitted text displays correctly
- Email safety — prevent HTML injection in email content
- Template safety — safely insert dynamic values into HTML templates
Common Characters and Their Entities
| Character | Named Entity | Numeric Entity |
|---|---|---|
< | < | < |
> | > | > |
& | & | & |
" | " | " |
' | ' | ' |
© | © | © |
® | ® | ® |
€ | € | € |
™ | ™ | ™ |
| Space | |   |
How to Encode and Decode HTML Entities Online (Step-by-Step)
Encoding
- Open the HTML Encode/Decode tool
- Type or paste text containing HTML special characters
- The encoded version appears instantly
- Copy the encoded HTML for use in your pages
Decoding
- Paste HTML entity codes into the input area
- The decoded text appears instantly with entities converted to characters
- Copy the decoded text
HTML Encoding and Security
HTML encoding is your first defense against cross-site scripting (XSS) attacks:
Unsafe (Vulnerable to XSS)
<div>{{ user_input }}</div>If user_input is <script>alert('xss')</script>, the script executes.
Safe (HTML Encoded)
<div>{{ encode(user_input) }}</div>The same input becomes <script>alert('xss')</script> and displays safely as text.
FAQ
What is the difference between encoding and escaping?
They are the same concept in this context. HTML encoding (or escaping) converts special characters to their entity equivalents so they display as text rather than being interpreted as HTML.
Should I encode all user input?
Yes. Any text from users that will be displayed on a web page should be HTML-encoded to prevent XSS attacks and ensure correct display.
What is XSS?
Cross-site scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages. HTML encoding prevents XSS by ensuring user input is treated as text, not code.
Do I need to encode URLs in HTML?
URL attribute values should be URL-encoded (percent-encoding), not HTML-encoded. Use href="https://example.com?q=hello%20world" rather than HTML-encoding the entire URL.
What about HTML entities in JavaScript?
JavaScript uses different escaping than HTML. In JavaScript strings, use \x3C or \u003C for < rather than <.
Can I use HTML entities in Markdown?
HTML entities work in Markdown. Markdown processors pass through HTML entities, so you can use © in Markdown to display ©.
Try our free HTML Encode/Decode tool to encode special characters and decode HTML entities instantly.