Encode / Decode

HTML Entity Encoder

Escape and unescape HTML entities like &, < and ' in your browser — free, instant and private, nothing is uploaded.

Output

100% in your browser — nothing you type is ever uploaded.

How to encode HTML entities

  1. Type or paste your text into the input box above.
  2. The escaped result appears instantly in the output box.
  3. Click Copy to copy the escaped string to your clipboard.

What this tool does

This tool escapes the five HTML-reserved characters — &, <, >, " and ' — into their named entity form (&amp;, &lt;, &gt;, &quot;, &#39;), so the text can be safely inserted into an HTML document without being parsed as markup.

Decode HTML entities back to text

Paste already-encoded HTML below to convert entities — including numeric ones like &#39; and &#x27; — back to literal characters.

Output

100% in your browser — nothing you type is ever uploaded.

Common reasons to escape HTML entities

  • Rendering user-submitted text (comments, usernames, form input) safely inside HTML.
  • Displaying a code snippet or markup example on a page without the browser executing it.
  • Preparing a string to be embedded inside an HTML attribute value.
  • Debugging why a page shows literal </> characters or a broken tag.

Related tools

  • URL Encode — escape text for safe use inside a URL instead of HTML.
  • Base64 Encode — convert text to Base64 for embedding in JSON, data URIs and more.

Frequently asked questions

Is my text uploaded anywhere?
No. Both encoding and decoding happen locally in your browser. Nothing you type is sent to a server.
Which characters get escaped?
The five characters that are meaningful in HTML markup: & becomes &amp;, < becomes &lt;, > becomes &gt;, " becomes &quot;, and ' becomes &#39;. Everything else is left as-is.
Why do I need to escape these characters at all?
A browser treats < and > as the start and end of a tag, so unescaped user text containing them can break the page layout or, worse, let someone inject a working <script> tag (a cross-site scripting attack).
Does the decoder understand numeric entities like &#39;?
Yes. Alongside the five named entities, decoding also handles decimal (&#39;) and hexadecimal (&#x27;) numeric character references, converting them back to the original character.
Is escaping HTML entities enough to prevent XSS on its own?
Escaping the five reserved characters is the core building block of safe HTML output, but a production app should also use its templating engine's built-in auto-escaping and a Content-Security-Policy — don't rely on manual escaping alone for user-generated content.
Can I paste already-encoded HTML and decode it back?
Yes, use the decode box further down the page — paste text containing entities like &amp;amp; or &amp;#39; and it converts them back to literal characters.
Will this affect whitespace or line breaks in my text?
No. Only the five reserved characters (and, when decoding, entity references) are changed — spaces, tabs and line breaks pass through untouched.