CiphersOnline
Encryption Online
Encoding
HTML Encode

HTML Encode / Decode

Convert HTML special characters to entities and decode escaped HTML back to readable text. Encode &, <, >, ", and ' for safe HTML output, templates, comments, and user-generated content; decode named, decimal, and hexadecimal HTML entities back to Unicode characters.

Input
0 chars · 0 bytes
Try:
Result
✓ Encodes HTML special characters as entities ✓ Supports named and numeric HTML entities ✓ Client-side processing only
Examples
HTML tags
Input <h1>Hello & "World"</h1>
Output &lt;h1&gt;Hello &amp; &quot;World&quot;&lt;/h1&gt;

The < > " and & characters are all encoded as HTML entities.

XSS prevention
Input <script>alert('xss')</script>
Output &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;

Encoding script tags makes injection code harmless in HTML output.

Decode entities
Input &lt;p&gt;Caf&eacute; &amp; na&iuml;ve&lt;/p&gt;
Output <p>Café & naïve</p>

Named entities like &eacute; and &iuml; are converted back to their Unicode characters.

HTML attribute text
Input <a href="/search?q=tea&sort=asc">Tea's "best"</a>
Output &lt;a href=&quot;/search?q=tea&amp;sort=asc&quot;&gt;Tea&#39;s &quot;best&quot;&lt;/a&gt;

Angle brackets, ampersands, quotes, and apostrophes are escaped so the snippet can be displayed as text.

What is HTML encoding?

HTML encoding converts special characters into HTML entities so browsers display them as text rather than interpreting them as markup. For example, the less-than sign < becomes &lt;, and the ampersand & becomes &amp;.

This is essential when placing user-supplied text, code snippets, product names, comments, CMS content, or translated strings inside an HTML page. Escaping the right characters helps prevent cross-site scripting (XSS) vulnerabilities and avoids broken layouts caused by accidental tags or attributes.

Encoding vs decoding HTML entities

Encoding replaces the five HTML-special characters with their entity equivalents: &&amp;, <&lt;, >&gt;, "&quot;, and '&#39;.

Decoding is the reverse process: it converts HTML entities — named (for example &eacute;), decimal (&#233;), or hexadecimal (&#xE9;) — back to their Unicode characters. This is useful for reading escaped HTML source, cleaning copied snippets, checking CMS output, or debugging API responses that contain entity-encoded text.

When to use this HTML entity converter

Use the encoder when text must appear inside an HTML document exactly as written: documentation examples, visible code fragments, customer reviews, article titles, form previews, or any field that may contain angle brackets, ampersands, or quotes.

Use the decoder when you need to turn escaped content back into readable text, such as &lt;div&gt;, &copy;, &#169;, or &#x1F600;. The tool is practical for web development, QA, SEO audits, content migration, email templates, and support tickets where encoded markup is difficult to inspect by eye.

HTML encoding is context-specific

HTML encoding is not encryption and does not hide data. It is an output-escaping technique for the HTML context. It helps the browser treat special characters as text, but it should be used together with proper validation, sanitization, and framework-level escaping in production applications.

Different contexts need different escaping rules. Text inside HTML, values inside URLs, JavaScript strings, CSS, and SQL queries are not interchangeable. For HTML output, encode the special HTML characters; for links and query strings, use URL encoding instead.

FAQ

Unencoded user input embedded directly in HTML can be interpreted as markup or script, allowing attackers to inject malicious code — a vulnerability known as Cross-Site Scripting (XSS). HTML encoding neutralises special characters so the browser treats them as plain text.

The five characters that must always be encoded are: & (ampersand) → &amp;amp;, < (less-than) → &amp;lt;, > (greater-than) → &amp;gt;, " (double quote) → &amp;quot;, and ' (single quote/apostrophe) → &amp;#39;. Other characters such as accented letters are safe but may also be encoded as named or numeric entities for compatibility.

HTML encoding escapes characters that have special meaning in HTML markup (&, <, >, ", '). URL encoding (percent-encoding) escapes characters not allowed in URLs, such as spaces (%20) and reserved characters. Both are context-specific: use HTML encoding when outputting text inside an HTML document, and URL encoding when building query strings or path segments.

Yes. When you receive HTML source code that contains escaped entities — for example from an API response or a database field — you can paste it into the decoder to see the original characters. The decoder handles named entities (&amp;eacute;), decimal entities (&amp;#233;), and hexadecimal entities (&amp;#xE9;).

No. HTML encoding is a reversible text transformation for safe display in HTML. Anyone can decode entities back to the original characters, so it should not be used to protect secrets, passwords, tokens, or private data.

The encoder focuses on the HTML-special characters that commonly break markup or create security issues: &, <, >, double quotes, and apostrophes. Unicode letters, emoji, and accented characters are preserved as readable text. The decoder can still convert named and numeric entities back to Unicode characters.

Decode HTML entities when you need to inspect or process text that was previously escaped, such as CMS exports, email templates, API responses, database values, or copied HTML source. Do not decode untrusted content and then insert it into a page as raw HTML unless it has also been sanitized.

No. The HTML Encode / Decode tool runs in your browser. Your text is transformed locally, which makes it suitable for quick checks with snippets, templates, and development content.
Related tools

Binary Converter Online

Convert text into 8-bit binary groups and decode binary bytes back into readable text.

ASCII Converter

Convert ASCII characters and numeric codes for protocol and parser workflows.

JWT Decoder Online

Decode JWT tokens in-browser and inspect header, payload, claims, and expiration data.

All Encoding and Data Conversion →