HTML Entity Encoder & Decoder
Safely encode special HTML characters to their entity equivalents, or decode them back to plain text — XSS-safe, instant, and 100% in your browser.
What are HTML Entities?
HTML entities are special character sequences used in HTML to represent characters that have reserved meaning in the HTML specification — or characters that cannot be typed directly in source code. They always start with an ampersand (&) and end with a semicolon (;).
There are three forms of HTML entity:
- •Named entity
<— A human-readable name defined in the HTML specification (e.g., < for <). - •Decimal numeric entity
<— A decimal Unicode code point prefixed with # (e.g., < for <). - •Hexadecimal numeric entity
<— A hex Unicode code point prefixed with #x (e.g., < for <).
Why Encode HTML? XSS Prevention Explained
Cross-Site Scripting (XSS) is one of the most prevalent web security vulnerabilities. It occurs when an attacker injects malicious JavaScript into a web page that other users view — allowing cookie theft, session hijacking, and defacement.
The Attack Vector
If a web application accepts user input and renders it directly into HTML without encoding, an attacker can submit a payload like <script>document.cookie</script> which the browser will execute as real JavaScript.
The Fix: Output Encoding
By encoding the output before rendering, the dangerous < and > characters become < and >, which the browser displays as literal text instead of executing as markup.
About This Tool's Safety
Our encoder and decoder uses a pure TypeScript character-by-character mapping with no innerHTML, no eval, and no DOM manipulation. The output can be safely embedded into HTML templates without risk of executing malicious code.
Common HTML Entities Cheat Sheet
These are the characters most critical to encode when rendering user-supplied content in HTML:
| Character | Description | Named Entity | Numeric Entity |
|---|---|---|---|
| < | Less-than sign (open tag) | < | < |
| > | Greater-than sign (close tag) | > | > |
| & | Ampersand (entity start) | & | & |
| " | Double quote (attr value) | " | " |
| ' | Single quote / apostrophe | ' | ' |
| / | Forward slash | / | / |
| ` | Backtick | ` | ` |
| = | Equals sign | = | = |
| Non-breaking space | |   | |
| © | Copyright symbol | © | © |
| ® | Registered trademark | ® | ® |
| ™ | Trademark symbol | ™ | ™ |
| € | Euro sign | € | € |
| £ | Pound sterling | £ | £ |
| — | Em dash | — | — |
| … | Ellipsis | … | … |