HTML Entity Encoder / Decoder

Encode and decode HTML special characters

Common HTML Entities

& = &
< = &lt;
> = &gt;
" = &quot;
' = &#39;
/ = &#47;
` = &#96;
= = &#61;
Last updated:

About this tool

An HTML entity encoder converts characters that have special meaning in HTML — like <, >, &, and " — into safe entity references such as &lt;, &gt;, &amp;, and &quot;. This is the foundation of XSS prevention: any user-supplied content rendered into a page must be entity-encoded so the browser treats it as text instead of markup.

How to use

  1. Pick Encode to convert raw characters into HTML entities, or Decode to do the reverse.
  2. Paste the text or HTML snippet into the input box.
  3. Read the encoded or decoded output on the right.
  4. Click Copy to grab the result for use in your template, email, or doc.
  5. Use the entity reference card at the bottom as a quick lookup for common characters.

Common use cases

  • Sanitising user-generated content before injecting it into a server-rendered page.
  • Embedding code snippets that contain < and > inside a Markdown or HTML document.
  • Preparing email HTML so apostrophes and ampersands render correctly across clients.
  • Decoding scraped HTML where entities like &amp;quot; were double-encoded.
  • Verifying that an output escapes correctly before flagging an XSS bug.
  • Showing literal HTML markup in a tutorial or technical doc.

Frequently asked questions

Q. Do I still need to encode if I use a templating engine?

A. Most modern engines (Svelte, React, Jinja, ERB) auto-escape by default. But once you reach for a "raw" or "unsafe" helper you take responsibility for encoding yourself.

Q. What is the difference between &amp;#39; and &amp;apos;?

A. Both encode an apostrophe. &apos; is technically XHTML/XML; some legacy HTML parsers do not recognise it, so &#39; is the safer choice for HTML output.

Q. Does encoding fix all XSS issues?

A. No. Context matters — JavaScript strings, URL attributes, and CSS each need their own escaping. Use a battle-tested sanitizer for HTML you want to render with markup intact.

Q. Why does decoding a non-encoded string return it unchanged?

A. There is nothing to decode. Decoding only swaps recognised entities back to characters; raw text passes through untouched.