HTML Entity Encoder / Decoder/ & < > "
Encode HTML special characters to entities and decode named/numeric entities — essential for XSS prevention.
Plain HTML / Text
0 chars
HTML Entities
0 chars
Common HTML entities
&&<<>>""''©©®®™™ ——……«»«»Did this tool solve your problem?
What is an HTML encode/decode tool
An HTML encode/decode tool converts between plain text and HTML entities. HTML entities are special codes starting with & and ending with ; that safely display special characters like <, >, &, and quotes in web pages without being parsed as HTML tags.
Common HTML encode/decode use cases
Displaying code snippets: encode < and > as < and > when showing HTML/JavaScript code in blogs or documentation. Preventing XSS attacks: encode user input before display to prevent malicious script execution. Email templates: safely display special characters in HTML emails. Data transmission: embed text with special characters in JSON or XML.
Code Examples
JavaScript (Browser)
// Encode using a temporary DOM element (browser only)
function htmlEncode(str) {
const div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
// Decode
function htmlDecode(str) {
const div = document.createElement('div');
div.innerHTML = str;
return div.textContent ?? div.innerText;
}
// Manual encode (works in Node.js too)
const escapeHtml = (s) => s
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''');Python
import html
# Encode (escape)
html.escape('<script>alert("xss")</script>')
# '<script>alert("xss")</script>'
# Encode including single quotes
html.escape("it's", quote=True)
# 'it's'
# Decode (unescape)
html.unescape('<b>Hello & World</b>')
# '<b>Hello & World</b>'Go
import "html"
// Encode
html.EscapeString("<script>alert('xss')</script>")
// "<script>alert('xss')</script>"
// Decode
html.UnescapeString("<b>Hello & World</b>")
// "<b>Hello & World</b>"
// In templates (auto-escaped)
import "html/template"
t := template.Must(template.New("").Parse(
"<p>{{.}}</p>"))
t.Execute(os.Stdout, "<b>Hello</b>")
// <p><b>Hello</b></p>PHP / Twig
<?php
// Encode
htmlspecialchars('<b>Hello</b> & "World"', ENT_QUOTES, 'UTF-8');
// '<b>Hello</b> & "World"'
// Decode
htmlspecialchars_decode('<b>Hello</b>');
// '<b>Hello</b>'
// All HTML entities (including named ones)
htmlentities('© 2025 — Café', ENT_QUOTES, 'UTF-8');
// '© 2025 — Café'
// Twig (auto-escaped by default)
// {{ user_input }} ← auto-escaped
// {{ user_input|raw }} ← raw HTML (unsafe!)Frequently Asked Questions
Why do we need HTML entity encoding?
Certain characters have special meaning in HTML: < and > for tags, & for entities, " for attribute values. Inserting raw user input into HTML lets browsers interpret these as HTML structure, creating XSS (cross-site scripting) vulnerabilities. Escaping them to <, >, &, " makes browsers display them as literal text instead of executing code.
What's the difference between named and numeric HTML entities?
Named entities use memorable names: & (&), © (©), (non-breaking space). Numeric entities use the Unicode code point: decimal © or hex © (both mean ©). Named entities only exist for characters defined in the HTML spec; numeric entities can represent any Unicode character.
Which 5 characters are most critical to HTML-encode?
The essential 5: & → & (must go first, or it will break other entities), < → <, > → >, " → " (inside attribute values), ' → ' or ' (inside attribute values). Other characters (CJK, ©, €, etc.) don't need encoding — modern browsers fully support UTF-8 directly.
What is and when should I use it?
is a non-breaking space (U+00A0). Unlike regular spaces: 1) The browser won't wrap a line at a . 2) Multiple characters are not collapsed into one (HTML normally collapses consecutive spaces). Use it for fixed spacing in typography — e.g., between a number and unit '100 km', or to prevent a phrase from breaking across lines.
Do React and Vue automatically HTML-encode content?
Yes. React JSX and Vue templates escape all interpolated values by default. In React, <div>{userInput}</div> auto-encodes special characters — only dangerouslySetInnerHTML bypasses this (use with extreme care). In Vue, {{ userInput }} is automatically escaped; only the v-html directive inserts raw HTML.
What's the difference between HTML encoding and URL encoding?
HTML entity encoding (&, <, etc.) escapes special characters in an HTML document context to prevent HTML parsing ambiguity. URL encoding (%26, %3C, etc.) escapes non-ASCII and reserved characters in a URL/URI context. They serve different purposes. For an href attribute: first URL-encode the value, then HTML-encode the whole attribute.