Tools Hub

HTML Encoder / Decoder

Convert special characters to HTML entities and decode HTML entities back to plain text.

67

Input chars

118

Output chars

Common HTML entities

&&
<&lt;
>&gt;
"&quot;
'&#39;
&nbsp;
©&copy;
®&reg;
&trade;
&mdash;
&hellip;
&euro;

HTML entities for escaping user content

Encoding <, >, &, quotes prevents browser parsing user text as markup—critical for XSS mitigation in CMS fields. Decoding is useful when migrating legacy dumps.

Context matters: attribute escaping differs from body text; templating frameworks often provide context-aware helpers—prefer them in production.

Related tools

These free tools pair well with this page — open them in a new tab to finish your workflow.

Frequently Asked Questions

What is HTML encoding?

HTML encoding (escaping) converts characters that have special meaning in HTML into their entity equivalents so they display as literal text. For example, < becomes &lt;, > becomes &gt;, & becomes &amp;, and " becomes &quot;.

When should I encode HTML?

Any time you insert user-supplied or untrusted text into an HTML page, you must encode it. Without encoding, characters like < and > could be interpreted as HTML tags, potentially creating cross-site scripting (XSS) vulnerabilities.

What is XSS and how does encoding prevent it?

Cross-site scripting (XSS) is an attack where malicious code is injected into a web page. If a user enters <script>alert('xss')</script> and you display it unencoded, the script will run. Encoding turns < into &lt;, making the script appear as text instead of executing.

What is the difference between HTML entities and Unicode escapes?

HTML named entities (like &amp;) are human-readable and part of the HTML specification. Unicode escapes (like &#x26;) represent the same characters numerically. Both produce identical results in a browser; named entities are easier to read, numeric forms work in any context.

Should I encode spaces?

Regular spaces do not need HTML encoding. However, non-breaking spaces should be encoded as &nbsp; or &#160; when you need a space that prevents line breaks. In HTML attributes, you generally don't need to encode spaces unless they're part of a value that could be misinterpreted.

and you display it unencoded, the script will run. Encoding turns < into <, making the script appear as text instead of executing."}},{"@type":"Question","name":"What is the difference between HTML entities and Unicode escapes?","acceptedAnswer":{"@type":"Answer","text":"HTML named entities (like &) are human-readable and part of the HTML specification. Unicode escapes (like &) represent the same characters numerically. Both produce identical results in a browser; named entities are easier to read, numeric forms work in any context."}},{"@type":"Question","name":"Should I encode spaces?","acceptedAnswer":{"@type":"Answer","text":"Regular spaces do not need HTML encoding. However, non-breaking spaces should be encoded as   or   when you need a space that prevents line breaks. In HTML attributes, you generally don't need to encode spaces unless they're part of a value that could be misinterpreted."}}]}
HTML Encoder / Decoder | Tools Hub