HTML Entity Encoder & Decoder (Convert HTML Characters Online)
Easily translate confusing HTML entities (like < or ") back into their actual readable characters, or secure your text by converting standard characters into HTML entities to prevent XSS (Cross-Site Scripting) attacks.
100% Private & Secure
This tool runs completely inside your browser using client-side WebAssembly and JS. Zero data is ever sent to our servers.
How to use this tool
- Type or paste your text into the input field above.
- Click 'Decode Entities' to translate entities like '<div>' back into '<div>'.
- Click 'Encode to Entities' to convert regular HTML tags into their safe entity representation.
- Click the copy button to copy the transformed output to your clipboard.
Example Usage
<script>alert(1)</script>
<script>alert(1)</script>
John & Doe "The Brothers"
John & Doe "The Brothers"
When to use this tool
- Sanitizing user input to prevent XSS vulnerabilities before saving to a database.
- Reading raw HTML source code that has been escaped in JSON payloads.
- Displaying raw HTML or XML code snippets safely on a webpage via encoding.
- Extracting readable text from a scraped web page.
Frequently Asked Questions
What is the difference between HTML escaping and URL encoding?
HTML escaping converts special characters into Entities (like < for <) specifically so the browser doesn't execute them as HTML tags. URL encoding (or percent-encoding) converts unsafe characters into hex codes (like %20 for space) specifically so they can be safely transmitted over HTTP inside a web address.
Which characters are absolutely necessary to encode for security?
To prevent XSS (Cross-Site Scripting), you must encode at least five critical characters before injecting user input into an HTML document: the ampersand (& → &), less-than (< → <), greater-than (> → >), double quote (" → "), and single quote (' → ').
How does the browser natively decode HTML entities?
Our tool utilizes an ultra-safe native browser technique: it creates an invisible text node in memory, assigns the encoded text to its innerHTML, and then safely extracts the textContent. This ensures 100% accuracy with every single esoteric named or numeric HTML entity recognized by modern browsers.
What is the difference between named, decimal, and hex entities?
A single character can be encoded three ways. For the copyright symbol (©), the named entity is ©, the decimal numeric reference is ©, and the hexadecimal reference is ©. All three methods are valid and perfectly decoded by this tool.
Will decoding HTML entities execute external scripts?
No. Our decoder processes the text within an inert sandbox, completely detached from the live DOM (Document Object Model). Even if you decode an entity representing a malicious <script> tag, it is treated strictly as plain text, ensuring your browser remains completely secure.