HTML Entity Encode / Decode

What is HTML Entity Encode / Decode?

HTML Entity Encode / Decode is a free online tool that converts text to HTML entities and back. Encode mode escapes the five reserved HTML characters — ampersand (&), less-than (<), greater-than (>), double quote (") and apostrophe (') — so the text is safe to drop inside markup or an attribute without breaking the page or opening an XSS hole. Decode mode resolves entities in any form: named references like © and  , decimal references like ©, and hexadecimal references like ©. Web developers, technical writers, and CMS editors use it to paste code samples into HTML, sanitize user-supplied strings, or read an entity-heavy snippet copied from a feed or export back as plain text. Switch between Encode and Decode with the segmented toggle, and open Settings to enable "encode all non-ASCII" when you also want accented letters, CJK characters, and emoji turned into numeric entities.

How to use HTML Entity Encode / Decode

1. Choose Encode or Decode with the segmented toggle at the top.
2. Paste or type your text into the Input box; the result appears live in the read-only Output box below.
3. For encoding, open Settings and tick "encode all non-ASCII" if you also want every character above U+007F turned into a numeric &#NNN; entity.
4. Click the copy button on the Output field to copy the encoded or decoded result.
5. Click Swap to move the output into the input and flip the mode for a round-trip check, or Clear to reset the input.

Examples

<a href="x">Tom & Jerry's</a>

<a href="x">Tom & Jerry's</a>

100 % ☺ ©

100 % ☺ ©

Café & 日本

Café & 日本

Frequently asked questions

Which characters does encode mode escape?

By default it escapes only the five characters that have special meaning in HTML: & becomes &amp;, < becomes &lt;, > becomes &gt;, " becomes &quot;, and ' becomes &#39;. The ampersand is converted first so entities it produces are not double-escaped. Enable "encode all non-ASCII" in Settings to also turn every character above U+007F into a numeric &#NNN; entity.

What kinds of entities can decode mode resolve?

All three forms: named references such as &amp;, &nbsp;, &copy; and &mdash;; decimal numeric references such as &#169;; and hexadecimal numeric references such as &#xA9;. Decoding hands the text to the browser's built-in HTML parser, so any entity the browser recognizes resolves the same way it would on a real page.

Does encoding protect against XSS?

Escaping &, <, >, ", and ' is the core defense for placing untrusted text into HTML body content and double-quoted attribute values, which is exactly what this tool does. It is not a full sanitizer for every context (for example unquoted attributes, URLs, or inline scripts), so treat it as encoding for standard HTML output, not a complete security framework.

Does it handle emoji and characters outside the basic plane?

Yes. Encoding walks the text by Unicode code point, so surrogate pairs like emoji are encoded as a single correct &#NNN; entity rather than two broken halves, and decoding turns numeric entities back into the original characters.

Is my text uploaded to a server?

No. Both encoding and decoding run entirely in your browser — encoding with a character map and decoding with a detached textarea that is never attached to the page, so no scripts run. Nothing is uploaded, stored, or sent anywhere, making it safe for private code, internal copy, and unpublished content.