Overview
Encode and decode HTML entities instantly
HTML treats a handful of characters as special. An ampersand starts an entity, angle brackets open and close tags, and quotes delimit attribute values. If you want those characters to appear as literal text rather than be parsed as markup, you escape them as HTML entities: &, <, >, ", and '.
ToolHub HTML Entity Encoder converts text to safe entities and back again. Switch between Encode and Decode, paste your input, and copy the result. Everything happens in your browser.
Step-by-step
How to encode and decode HTML entities
- 1
Pick a mode
Encode turns plain text into HTML entities. Decode does the reverse, converting entities back to readable characters. - 2
Type or paste your input
Drop your text into the input panel. The output updates live as you type. - 3
Copy the result
Click copy to grab the encoded or decoded output and paste it wherever you need it.
Background
Which characters get escaped
Encoding replaces the five reserved characters with their named or numeric entities. The ampersand goes first so the entities the tool adds are not double-escaped. The result is text that a browser renders exactly as you wrote it instead of interpreting it as tags or attributes.
The five core entities
Ampersand becomes &, less-than becomes <, greater-than becomes >, double quote becomes ", and single quote becomes '. These five cover the characters that can break out of text content or attribute values.
Why decoding is done safely
To decode, the tool writes your input into a detached textarea element and reads back the browser-resolved value. That element is never attached to the live page, so no markup is parsed or executed. This avoids the security risk of injecting untrusted HTML into the document.
Use cases
When to encode HTML entities
Showing code in a web page
Display HTML snippets in a tutorial or blog post without the browser rendering them as real elements.
Preventing XSS in user content
Escape user-supplied text before inserting it into a page so it cannot inject script or tags.
Safe attribute values
Encode quotes so a value containing them does not break out of an HTML attribute.
Email and template content
Escape special characters in templated HTML emails so they display correctly across clients.
Cleaning up scraped markup
Decode entities in text pulled from a page to recover the original readable characters.
Documentation and CMS fields
Store literal angle brackets and ampersands in fields that would otherwise interpret them as markup.
Tips and best practices
- Always encode the ampersand first, otherwise the ampersands in your other entities get escaped again.
- Encoding is not a substitute for proper output escaping in your framework, but it is handy for one-off content.
- Decoding handles named entities like &copy; and numeric ones like &#169; because the browser resolves them for you.
- Single quotes use the numeric &#39; rather than &apos; because the named version is not universally supported in older HTML.
- If decoded text looks wrong, check whether the source used a different escaping scheme such as URL encoding instead of HTML entities.
Common questions
What is the difference between encoding and encryption?
HTML entity encoding is a display transformation, not security. It makes characters render literally. It hides nothing and protects no secrets. Anyone can decode the result instantly.
Why is the single quote encoded as ' not '?
The named entity ' is part of XML and HTML5 but was not defined in older HTML versions. The numeric form ' works everywhere, so it is the safer choice.
Does decoding run my HTML?
No. The tool reads the resolved text value out of a detached textarea. That element is never added to the page, so scripts and tags in your input are never executed.
Can it handle accented and non-Latin characters?
Yes. Encoding only touches the five reserved characters and leaves everything else as is, so accented letters and other scripts pass through untouched. Decoding resolves any named or numeric entity the browser knows.
100% private