Encode & decode all HTML5 entities — named, decimal, hex — XSS prevention and safe markup, 100% client-side
- Runs locally
- Category Encoding & Crypto
- Best for Checking small payloads, tokens, hashes, and encoded values quickly.
What this tool does
Comprehensive HTML entity encoder and decoder. Convert special characters to named entities (& < >), decimal references (& <), or hex references (& <). Encode only XSS-dangerous chars or all non-ASCII. Decode any HTML5 named entity, numeric decimal, or hex reference back to plain text. Ships a searchable reference of 250+ HTML5 entities. 100% client-side — your content never leaves the browser.
Tool details
- Input
- Text + Numbers + Structured content
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy + Preview
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 22 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Encoding & Crypto · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How HTML Entity Encoder / Decoder fits into your work
Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.
Encoding jobs
- Checking small payloads, tokens, hashes, and encoded values quickly.
- Preparing values for APIs, URLs, docs, or support tickets.
- Avoiding account-based tools when the input might be sensitive.
Encoding checks
- Do not paste live secrets unless you are comfortable with local browser handling.
- Confirm whether the operation is reversible before sharing the result.
- For hashes, compare the exact algorithm and casing expected by the receiver.
Good next steps
These links move the current task into a more complete workflow.
- 1 HTML Entities Encoder Encode/decode HTML entities — & < > " ' and all numeric refs — browser-only Open
- 2 URL Encoder / Decoder Encode and decode URL-unsafe characters — query strings, path segments, full URLs — instant, browser-only Open
- 3 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open
Real-world use cases
Safely rendering user-submitted content in a CMS
A blog platform lets visitors post comments that include angle brackets and ampersands. Before storing or echoing user input into HTML, run it through "Dangerous only" encode. The five critical chars are replaced and <script>alert(1)</script> becomes <script>alert(1)</script>, which renders as harmless text instead of executing.
Inserting typographic characters into HTML without font or charset risk
You want a true em dash (—) in a page heading, but your CMS strips "fancy" Unicode. Use hex or decimal encoding — — or — — and the character arrives safely in any HTML context with no font fallback worries and no dependency on the document charset.
Cleaning double-escaped entities from a CMS export
You exported product descriptions from an old CMS and every apostrophe reads as &#39; — already escaped once, then escaped again. Paste into decode mode twice: first pass collapses &#39; → ', second pass renders ' → '. Now the text is clean for re-import.
Common pitfalls
Double-encoding: if text already contains & and you encode it again, you get &amp;. Encode exactly once, at the point where untrusted input meets HTML output.
Encoding whole HTML documents in 'All non-ASCII' mode: this turns < back into < and destroys the markup structure. Encode only text values, never markup tags.
Trusting entity encoding alone for attribute security: inside href= you also need to validate the scheme (block javascript:); inside onclick= you need JS-escaping too. Entity encoding is necessary but not always sufficient for attributes.
Privacy
Everything runs in your browser. Your text is encoded or decoded locally using JavaScript string operations and a built-in entity lookup table, with no network request at any step. When you enable the shareable URL, the input and settings are written into the page URL so a link reproduces your state — so avoid pasting secrets, tokens, or sensitive HTML templates when you intend to share the link.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- Age Difference Calculator The exact gap between two birthdays — years/months/days, percentage, and the date one person is twice the other's age — browser-only
- AI Eval Planner Generate eval cases, pass criteria, and edge cases from an AI feature, risks, and user path.