Skip to main content

HTML Entities — Encode & Decode

Encode/decode HTML entities — & < > " ' and all numeric refs — browser-only

  • Runs locally
  • Category Text
  • Best for Removing repetitive cleanup work from everyday writing and operations.

What this tool does

Free online HTML entity encoder and decoder. Convert special characters (&, <, >, ", ') to safe HTML entities so they render literally in a page, or decode entity-escaped HTML back to plain text. Supports named entities (&amp;) and numeric refs (&#38; / &#x26;). 100% client-side.

Tool details

Input
Text + Numbers + Structured content
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
No account required
Open the page and use it; whether results survive refresh depends on the tool.
Performance budget
Initial JS <= 6 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Text · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How HTML Entities Encoder fits into your work

Use it to clean, compare, reshape, or extract plain text before it goes into a document, CMS, spreadsheet, or prompt.

Text jobs

  • Removing repetitive cleanup work from everyday writing and operations.
  • Making text easier to compare, paste, publish, or feed into another tool.
  • Working with content locally when the text is private or unfinished.

Text checks

  • Scan for unintended whitespace, duplicate lines, and lost punctuation.
  • For long text, test the first few lines before applying the whole change.
  • Copy the final output only after checking the preview.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 URL Encoder / Decoder Encode and decode URL-unsafe characters — query strings, path segments, full URLs — instant, browser-only Open
  2. 2 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open
  3. 3 String Escape / Unescape Escape & unescape strings for JSON, JS, Java, C, SQL, Shell, HTML, CSV & regex — both directions — browser-only Open

Real-world use cases

  • Rendering a code snippet literally inside a blog post

    You want a tutorial to show the literal text <div class="card">, but the browser keeps parsing it as a real element. Paste it here, encode, and you get &lt;div class=&quot;card&quot;&gt; to drop straight into your HTML so readers see the tag, not an empty div.

  • Stopping an XSS hole in a comment box

    A user submits a comment containing <script>alert(1)</script>. Before you echo it into the page, run it through the encoder so it becomes &lt;script&gt;alert(1)&lt;/script&gt; and renders as harmless text. Five characters (& < > " ') cover the bulk of reflected-XSS cases.

  • Cleaning up email HTML pasted from a CMS

    You copied a product description out of a CMS and it arrived as &amp;eacute;, &amp;mdash; and &amp;#8217; double-escaped. Decode once and the ampersands collapse back to é, — and ’ so the email preview reads correctly instead of showing &amp; everywhere.

  • Building a JSON payload that carries HTML safely

    Your API returns a help string with quotes and angle brackets that break the front-end template. Encode it to entities first so the string survives both the JSON layer and the HTML render, then decode on display. No more truncated tooltips at the first " character.

Common pitfalls

  • Double-encoding already-escaped text: running &amp; through the encoder again gives &amp;amp;. Encode once, at output time only.

  • Trusting the encoder to sanitize attributes too: inside an onclick= or href= you also need URL/JS escaping; entity-encoding alone does not block javascript: URLs.

  • Forgetting the apostrophe: skipping ' breaks single-quoted attributes like value='it's' — always escape all 5 chars, not just < and >.

Privacy

Your text never leaves the browser. Encoding and decoding run entirely in JavaScript using a local lookup map and a regex, with no network request at any point. The current input can be saved into the share URL so a link reproduces your result, so avoid pasting secrets or private data when you intend to share the link.

. Before\nyou echo it into the page, run it through the encoder so it becomes\n<script>alert(1)</script> and renders as harmless text.\nFive characters (& < > \" ') cover the bulk of reflected-XSS cases.\n"}},{"@type":"Question","name":"Cleaning up email HTML pasted from a CMS","acceptedAnswer":{"@type":"Answer","text":"You copied a product description out of a CMS and it arrived as\n&eacute;, &mdash; and &#8217; double-escaped. Decode once\nand the ampersands collapse back to é, — and ’ so the email preview\nreads correctly instead of showing & everywhere.\n"}},{"@type":"Question","name":"Building a JSON payload that carries HTML safely","acceptedAnswer":{"@type":"Answer","text":"Your API returns a help string with quotes and angle brackets that\nbreak the front-end template. Encode it to entities first so the\nstring survives both the JSON layer and the HTML render, then decode\non display. No more truncated tooltips at the first \" character.\n"}}]}

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Made by Toolora · 100% client-side · Updated 2026-07-02