Skip to main content

HTML Entity Encoder & Decoder — Named, Decimal & Hex Output

Encode & decode all HTML5 entities — named, decimal, hex — XSS prevention and safe markup, 100% client-side

  • Runs locally
  • Category Encoding & Crypto
  • Best for Checking small payloads, tokens, hashes, and encoded values quickly.
Output format
Encode scope

What this tool does

Comprehensive HTML entity encoder and decoder. Convert special characters to named entities (& < >), decimal references (& <), or hex references (& <). Encode only XSS-dangerous chars or all non-ASCII. Decode any HTML5 named entity, numeric decimal, or hex reference back to plain text. Ships a searchable reference of 250+ HTML5 entities. 100% client-side — your content never leaves the browser.

Tool details

Input
Text + Numbers + Structured content
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy + Preview
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
Shareable URL state
Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget
Initial JS <= 22 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Encoding & Crypto · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How HTML Entity Encoder / Decoder fits into your work

Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.

Encoding jobs

  • Checking small payloads, tokens, hashes, and encoded values quickly.
  • Preparing values for APIs, URLs, docs, or support tickets.
  • Avoiding account-based tools when the input might be sensitive.

Encoding checks

  • Do not paste live secrets unless you are comfortable with local browser handling.
  • Confirm whether the operation is reversible before sharing the result.
  • For hashes, compare the exact algorithm and casing expected by the receiver.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 HTML Entities Encoder Encode/decode HTML entities — &amp; &lt; &gt; &quot; &#39; and all numeric refs — browser-only Open
  2. 2 URL Encoder / Decoder Encode and decode URL-unsafe characters — query strings, path segments, full URLs — instant, browser-only Open
  3. 3 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open

Real-world use cases

  • Safely rendering user-submitted content in a CMS

    A blog platform lets visitors post comments that include angle brackets and ampersands. Before storing or echoing user input into HTML, run it through "Dangerous only" encode. The five critical chars are replaced and <script>alert(1)</script> becomes &lt;script&gt;alert(1)&lt;/script&gt;, which renders as harmless text instead of executing.

  • Inserting typographic characters into HTML without font or charset risk

    You want a true em dash (—) in a page heading, but your CMS strips "fancy" Unicode. Use hex or decimal encoding — &#x2014; or &#8212; — and the character arrives safely in any HTML context with no font fallback worries and no dependency on the document charset.

  • Cleaning double-escaped entities from a CMS export

    You exported product descriptions from an old CMS and every apostrophe reads as &amp;#39; — already escaped once, then escaped again. Paste into decode mode twice: first pass collapses &amp;#39; → &#39;, second pass renders &#39; → '. Now the text is clean for re-import.

Common pitfalls

  • Double-encoding: if text already contains &amp; and you encode it again, you get &amp;amp;. Encode exactly once, at the point where untrusted input meets HTML output.

  • Encoding whole HTML documents in 'All non-ASCII' mode: this turns &lt; back into &#60; and destroys the markup structure. Encode only text values, never markup tags.

  • Trusting entity encoding alone for attribute security: inside href= you also need to validate the scheme (block javascript:); inside onclick= you need JS-escaping too. Entity encoding is necessary but not always sufficient for attributes.

Privacy

Everything runs in your browser. Your text is encoded or decoded locally using JavaScript string operations and a built-in entity lookup table, with no network request at any step. When you enable the shareable URL, the input and settings are written into the page URL so a link reproduces your state — so avoid pasting secrets, tokens, or sensitive HTML templates when you intend to share the link.

becomes <script>alert(1)</script>,\nwhich renders as harmless text instead of executing.\n"}},{"@type":"Question","name":"Inserting typographic characters into HTML without font or charset risk","acceptedAnswer":{"@type":"Answer","text":"You want a true em dash (—) in a page heading, but your CMS strips\n\"fancy\" Unicode. Use hex or decimal encoding — — or — —\nand the character arrives safely in any HTML context with no font\nfallback worries and no dependency on the document charset.\n"}},{"@type":"Question","name":"Cleaning double-escaped entities from a CMS export","acceptedAnswer":{"@type":"Answer","text":"You exported product descriptions from an old CMS and every apostrophe\nreads as &#39; — already escaped once, then escaped again. Paste\ninto decode mode twice: first pass collapses &#39; → ', second\npass renders ' → '. Now the text is clean for re-import.\n"}}]}

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Made by Toolora · 100% client-side · Updated 2026-07-01