HTML Entity Encoder / Decoder
Turn <, >, &, and quotes into safe HTML entities so your text shows up as text — not as tags — then decode them back whenever you need the raw characters. Runs locally in your browser.
How it works
A handful of characters are special in HTML. Drop a raw < into a page and the browser starts reading a tag; an unescaped & can swallow the text that follows it. Escaping replaces each of those with a named or numeric entity like < or & so it displays literally.
Encode mode converts the five characters that matter most — &, <, >, double quote, and single quote — into their entity forms. Decode mode reverses that, and also understands numeric entities like ' and hex forms like ', turning them back into the original character.
This is about safe display, not security on its own. Escaping user input before it hits the page is a core defense against injected markup, but always pair it with the right context-aware handling in your actual app.
Frequently asked questions
Which characters actually need escaping?
In page content, & and < are the critical ones. Inside attribute values you also want to escape quotes so a value can't break out of its wrapper. This tool escapes all five to keep output safe in both spots.
Will it decode entities I didn't create here?
It handles the common named entities plus numeric decimal (') and hex (') forms, so most entities you paste from real HTML will decode cleanly back to characters.
Can I rely on this to sanitize untrusted input?
Escaping is one important layer, but real sanitization depends on where the data lands — an attribute, a script, a URL. Use this to understand and transform entities, and lean on your framework's context-aware escaping in production.