HTML Entity Encoder
Escape and unescape HTML entities like &, < and ' in your browser — free, instant and private, nothing is uploaded.
Output
100% in your browser — nothing you type is ever uploaded.
How to encode HTML entities
- Type or paste your text into the input box above.
- The escaped result appears instantly in the output box.
- Click Copy to copy the escaped string to your clipboard.
What this tool does
This tool escapes the five HTML-reserved characters — &,
<, >, " and ' —
into their named entity form (&, <,
>, ", '), so
the text can be safely inserted into an HTML document without being
parsed as markup.
Decode HTML entities back to text
Paste already-encoded HTML below to convert entities — including numeric ones like ' and ' — back to literal characters.
Output
100% in your browser — nothing you type is ever uploaded.
Common reasons to escape HTML entities
- Rendering user-submitted text (comments, usernames, form input) safely inside HTML.
- Displaying a code snippet or markup example on a page without the browser executing it.
- Preparing a string to be embedded inside an HTML attribute value.
- Debugging why a page shows literal
</>characters or a broken tag.
Related tools
- URL Encode — escape text for safe use inside a URL instead of HTML.
- Base64 Encode — convert text to Base64 for embedding in JSON, data URIs and more.
Frequently asked questions
- Is my text uploaded anywhere?
- No. Both encoding and decoding happen locally in your browser. Nothing you type is sent to a server.
- Which characters get escaped?
- The five characters that are meaningful in HTML markup: & becomes &, < becomes <, > becomes >, " becomes ", and ' becomes '. Everything else is left as-is.
- Why do I need to escape these characters at all?
- A browser treats < and > as the start and end of a tag, so unescaped user text containing them can break the page layout or, worse, let someone inject a working <script> tag (a cross-site scripting attack).
- Does the decoder understand numeric entities like '?
- Yes. Alongside the five named entities, decoding also handles decimal (') and hexadecimal (') numeric character references, converting them back to the original character.
- Is escaping HTML entities enough to prevent XSS on its own?
- Escaping the five reserved characters is the core building block of safe HTML output, but a production app should also use its templating engine's built-in auto-escaping and a Content-Security-Policy — don't rely on manual escaping alone for user-generated content.
- Can I paste already-encoded HTML and decode it back?
- Yes, use the decode box further down the page — paste text containing entities like &amp; or &#39; and it converts them back to literal characters.
- Will this affect whitespace or line breaks in my text?
- No. Only the five reserved characters (and, when decoding, entity references) are changed — spaces, tabs and line breaks pass through untouched.