Which characters get escaped?

Encoding escapes the HTML-significant characters & " and the apostrophe, and optionally all non-ASCII characters as numeric entities. Decoding understands named entities and decimal or hexadecimal numeric entities.

Why do I need to escape these characters?

Characters like < and & have special meaning in HTML. If you put raw user text containing them into a page, the browser may interpret it as markup — escaping turns it into literal text and prevents cross-site scripting (XSS).

What is the difference between a named and a numeric entity?

A named entity uses a label, like & for &. A numeric entity uses the character code, like & (decimal) or & (hex) for the same &. Decoding here handles all three forms.

Why is the apostrophe encoded as ' not '?

The decimal numeric entity ' works in HTML4, XHTML and HTML5, whereas the named ' is not defined in HTML4. Using the numeric form is the safest, most portable choice.

Is decoding safe with untrusted HTML?

Yes. Entities are decoded with a parser that never inserts your input into the live page, so pasting untrusted markup cannot run scripts.

Is my content uploaded?

No. All encoding and decoding happens in your browser — nothing is sent to a server.

HTML Entity Encoder & Decoder

Q: Why do I need to escape these characters?

Characters like < and & have special meaning in HTML. If you put raw user text containing them into a page, the browser may interpret it as markup — escaping turns it into literal text and prevents cross-site scripting (XSS).

Q: What is the difference between a named and a numeric entity?

A named entity uses a label, like & for &. A numeric entity uses the character code, like & (decimal) or & (hex) for the same &. Decoding here handles all three forms.

Q: Why is the apostrophe encoded as ' not '?

The decimal numeric entity ' works in HTML4, XHTML and HTML5, whereas the named ' is not defined in HTML4. Using the numeric form is the safest, most portable choice.

Q: Is decoding safe with untrusted HTML?

Yes. Entities are decoded with a parser that never inserts your input into the live page, so pasting untrusted markup cannot run scripts.

Q: Is my content uploaded?

No. All encoding and decoding happens in your browser — nothing is sent to a server.

HTML entity encoder & decoder

Escape text for safe placement inside HTML — &, <, >, " and the apostrophe become their entity equivalents — or decode named and numeric entities back into plain text. Escaping is the core defence against breaking your page layout or introducing cross-site scripting when you display user-supplied text.

How it works

In encode mode the tool replaces each HTML-significant character with its entity: & → &, < → <, > → >, " → ", and the apostrophe → '. An optional setting additionally converts every non-ASCII character (accents, symbols, emoji) into a numeric &#...; entity for maximum compatibility. In decode mode it reverses the process, resolving named entities and both decimal (&#NN;) and hexadecimal (&#xNN;) numeric forms — done through a parser that never injects your input into the live DOM, so untrusted markup cannot execute.

Example

Encoding <a href="x">Tom & Jerry</a> gives:

<a href="x">Tom & Jerry</a>

Character	Named	Numeric
&	&	&
`<`	<	<
`>`	>	>
"	"	"

Everything runs in your browser — nothing is uploaded. Pair it with the URL encoder for query strings.