Developer

HTML Entity Encoder / Decoder

Turn <, >, &, and quotes into safe HTML entities so your text shows up as text — not as tags — then decode them back whenever you need the raw characters. Runs locally in your browser.

Entity-encoded
&lt;a href=&quot;x&quot;&gt;Tom &amp; &quot;Jerry&quot;&lt;/a&gt;

How it works

A handful of characters are special in HTML. Drop a raw < into a page and the browser starts reading a tag; an unescaped & can swallow the text that follows it. Escaping replaces each of those with a named or numeric entity like &lt; or &amp; so it displays literally.

Encode mode converts the five characters that matter most — &, <, >, double quote, and single quote — into their entity forms. Decode mode reverses that, and also understands numeric entities like &#39; and hex forms like &#x27;, turning them back into the original character.

This is about safe display, not security on its own. Escaping user input before it hits the page is a core defense against injected markup, but always pair it with the right context-aware handling in your actual app.

Frequently asked questions

Which characters actually need escaping?

In page content, & and < are the critical ones. Inside attribute values you also want to escape quotes so a value can't break out of its wrapper. This tool escapes all five to keep output safe in both spots.

Will it decode entities I didn't create here?

It handles the common named entities plus numeric decimal (&#39;) and hex (&#x27;) forms, so most entities you paste from real HTML will decode cleanly back to characters.

Can I rely on this to sanitize untrusted input?

Escaping is one important layer, but real sanitization depends on where the data lands — an attribute, a script, a URL. Use this to understand and transform entities, and lean on your framework's context-aware escaping in production.