Encode/decode HTML entities — & < > " ' and all numeric refs — browser-only
- Runs locally
- Category Text
- Best for Removing repetitive cleanup work from everyday writing and operations.
What this tool does
Free online HTML entity encoder and decoder. Convert special characters (&, <, >, ", ') to safe HTML entities so they render literally in a page, or decode entity-escaped HTML back to plain text. Supports named entities (&) and numeric refs (& / &). 100% client-side.
Tool details
- Input
- Text + Numbers + Structured content
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- No account required
- Open the page and use it; whether results survive refresh depends on the tool.
- Performance budget
- Initial JS <= 6 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Text · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How HTML Entities Encoder fits into your work
Use it to clean, compare, reshape, or extract plain text before it goes into a document, CMS, spreadsheet, or prompt.
Text jobs
- Removing repetitive cleanup work from everyday writing and operations.
- Making text easier to compare, paste, publish, or feed into another tool.
- Working with content locally when the text is private or unfinished.
Text checks
- Scan for unintended whitespace, duplicate lines, and lost punctuation.
- For long text, test the first few lines before applying the whole change.
- Copy the final output only after checking the preview.
Good next steps
These links move the current task into a more complete workflow.
- 1 URL Encoder / Decoder Encode and decode URL-unsafe characters — query strings, path segments, full URLs — instant, browser-only Open
- 2 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open
- 3 String Escape / Unescape Escape & unescape strings for JSON, JS, Java, C, SQL, Shell, HTML, CSV & regex — both directions — browser-only Open
Real-world use cases
Rendering a code snippet literally inside a blog post
You want a tutorial to show the literal text <div class="card">, but the browser keeps parsing it as a real element. Paste it here, encode, and you get <div class="card"> to drop straight into your HTML so readers see the tag, not an empty div.
Stopping an XSS hole in a comment box
A user submits a comment containing <script>alert(1)</script>. Before you echo it into the page, run it through the encoder so it becomes <script>alert(1)</script> and renders as harmless text. Five characters (& < > " ') cover the bulk of reflected-XSS cases.
Cleaning up email HTML pasted from a CMS
You copied a product description out of a CMS and it arrived as &eacute;, &mdash; and &#8217; double-escaped. Decode once and the ampersands collapse back to é, — and ’ so the email preview reads correctly instead of showing & everywhere.
Building a JSON payload that carries HTML safely
Your API returns a help string with quotes and angle brackets that break the front-end template. Encode it to entities first so the string survives both the JSON layer and the HTML render, then decode on display. No more truncated tooltips at the first " character.
Common pitfalls
Double-encoding already-escaped text: running & through the encoder again gives &amp;. Encode once, at output time only.
Trusting the encoder to sanitize attributes too: inside an onclick= or href= you also need URL/JS escaping; entity-encoding alone does not block javascript: URLs.
Forgetting the apostrophe: skipping ' breaks single-quoted attributes like value='it's' — always escape all 5 chars, not just < and >.
Privacy
Your text never leaves the browser. Encoding and decoding run entirely in JavaScript using a local lookup map and a regex, with no network request at any point. The current input can be saved into the share URL so a link reproduces your result, so avoid pasting secrets or private data when you intend to share the link.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only