HTML Encoder / Decoder

Encode special characters to HTML entities or decode entities back to characters.

Common HTML Entities

CharacterEntityName
<&lt;Less than
>&gt;Greater than
&&amp;Ampersand
"&quot;Double quote
'&#39;Single quote
 &nbsp;Non-breaking space
Copied!

About this tool

Convert special characters into HTML entities and back: < becomes &lt;, & becomes &amp;, quotes and angle brackets become their safe equivalents. Decoding reverses it, turning entity soup from a scraped page or CMS export back into readable text.

Everything runs locally in your browser — nothing you paste is sent anywhere.

When to use it

Worked example

You want to show the snippet <a href="page.html">link</a> in a blog post. Pasted raw into your HTML, the browser renders an actual link. Run it through the encoder and you get the escaped form — paste that into your page and readers see the code itself instead of a rendered link.

Frequently asked questions

Which characters actually need encoding?

Five do the heavy lifting: < and > (they open and close tags), & (it starts entities), and the two quote characters (they terminate attribute values). Encode those and text is safe to place in normal HTML content or attributes.

What's the difference between ' and '?

Both represent an apostrophe. ' is the numeric form and works everywhere; ' is a named entity that was technically absent from HTML 4, so older tooling sometimes chokes on it. When in doubt, numeric entities are the safer output.

Does encoding make user input fully XSS-safe?

It's the correct first step for HTML contexts, but context matters: text going into a JavaScript string, a URL, or a CSS value each needs its own escaping rules. Entity encoding alone doesn't cover those.

Why did my text come back double-encoded, like &lt;?

It was encoded twice — usually a sign that some layer in your pipeline already escaped it. Decode twice to recover the original, then find and remove the redundant encoding step.