HTML Entities Encoder/Decoder

Convert special HTML characters to entities and back. Prevent XSS attacks and display code safely.
100% Free — Essential for web development and security.

Text Length
252+HTML5 Entities
0Signup Required

HTML Entities Encoder/Decoder

Common Use Cases

🛡️

XSS Prevention

Encode user input before displaying to prevent malicious script injection attacks.

📝

Display Code

Show HTML, JavaScript or XML code snippets in tutorials and documentation.

📧

Email Templates

Encode special characters in HTML emails to ensure correct rendering across clients.

🗄️

Database Storage

Sanitize text before storing in databases to prevent injection vulnerabilities.

HTML Entities Reference

<&lt;
>&gt;
&&amp;
"&quot;
'&#39;
©&copy;
®&reg;
&trade;
&euro;
£&pound;
&nbsp;
&mdash;

Why Use HTML Entities?

  • XSS Prevention: Encoding user input prevents script injection attacks
  • Display Code: Show HTML code without it being interpreted by browser
  • Special Characters: Display symbols like ©, ®, ™ correctly across all browsers
  • Avoid Parsing Issues: Prevent breaking HTML structure with special characters
  • Email Compatibility: Ensure correct rendering in HTML email clients

Encoding in Code

JavaScriptBrowser-safe
// Using DOM (safest method)
function encodeHTML(text) {
  const div = document.createElement('div');
  div.textContent = text;
  return div.innerHTML;
}

// Manual replacement
function escapeHTML(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}
PHPhtmlspecialchars
// Encode HTML entities
$safe = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

// Decode back
$original = htmlspecialchars_decode($safe, ENT_QUOTES);

// For all entities (not just special)
$encoded = htmlentities($input, ENT_QUOTES, 'UTF-8');
$decoded = html_entity_decode($encoded);
Pythonhtml module
import html

# Encode HTML entities
safe = html.escape('<script>alert("XSS")</script>')
# Result: &lt;script&gt;alert("XSS")&lt;/script&gt;

# Decode back to original
original = html.unescape('&lt;div&gt;')
# Result: <div>
JavaApache Commons
import org.apache.commons.text.StringEscapeUtils;

// Encode
String safe = StringEscapeUtils.escapeHtml4(input);

// Decode
String original = StringEscapeUtils.unescapeHtml4(safe);

// Built-in (limited)
// Use for XML: org.apache.commons.lang3.StringEscapeUtils

Frequently Asked Questions

When should I encode HTML?

Always encode user-generated content before displaying it in HTML. This prevents XSS attacks and ensures text displays correctly without breaking page structure.

What's the difference between < and &lt;?

< is the actual less-than symbol that starts HTML tags. &lt; is the HTML entity that displays the < character as text instead of being interpreted as a tag.

What is XSS and how does encoding prevent it?

XSS (Cross-Site Scripting) injects malicious scripts into web pages. Encoding converts <script> to &lt;script&gt;, displaying it as text instead of executing.

Should I use named or numeric entities?

Named entities like &copy; are more readable, but numeric codes like &#169; have broader browser support. For critical characters (<, >, &), both work universally.

Does encoding affect SEO?

No. Search engines understand HTML entities. &amp; is treated the same as & for indexing purposes. Encoding is purely a display/security concern.

When should I decode HTML entities?

Decode when you need the actual characters for processing, API calls, or displaying in non-HTML contexts like JSON. Never decode user input before sanitizing.

Related Tools

🔗

URL Encoder

Encode special characters in URLs

🔐

Base64 Encoder

Encode/decode Base64 strings

🌐

HTML Formatter

Beautify and minify HTML