🏷️ HTML Entity Converter – Encode & Decode
The HTML Entity Converter is a bidirectional tool that transforms plain text into HTML entity equivalents and converts HTML entities back to their original characters. Whether you need to safely embed user content in an HTML page, protect against XSS (cross-site scripting), or decode entities copied from a web page source, this converter handles it instantly in your browser — no data is sent to any server.
What Are HTML Entities?
HTML reserves certain characters for its own syntax — primarily <, >, &, ", and '. When these appear inside HTML content or attributes, the browser interprets them as markup rather than literal text. An HTML entity is an escaped representation that tells the browser to display the character without processing it as HTML. For example, < renders as < in the browser.
Three Entity Formats
HTML supports three equivalent notations for any character:
| Format | Syntax | Example for < | When to Use |
|---|---|---|---|
| Named | &name; | < | Human-readable, most common |
| Decimal | &#NNN; | < | Any Unicode character, numeric |
| Hexadecimal | &#xHH; | < | Unicode code points, compact |
When a character has no official named entity (such as most emoji or uncommon symbols), the tool automatically falls back to the decimal or hexadecimal form depending on your selected format.
Encode Scopes Explained
HTML-Unsafe Only (default)
Encodes only the five structurally significant characters: < > & " '. This is the minimum required to safely embed text inside an HTML document without breaking markup or enabling injection attacks.
Non-ASCII + HTML-Unsafe
Also converts accented letters, symbols, currency signs, arrows, and any character outside the US-ASCII range (code points > 127). Use this for maximum compatibility with older HTML parsers or ASCII-only transmission channels.
All Characters
Encodes every character in the input — including plain ASCII letters and digits. Produces a fully obfuscated, ASCII-safe output. Useful for email harvesting protection, educational demonstrations, or debugging encoding pipelines.
Common HTML Entities Reference
| Character | Named | Decimal | Hex | Description |
|---|---|---|---|---|
| < | < | < | < | Less-than sign |
| > | > | > | > | Greater-than sign |
| & | & | & | & | Ampersand |
| " | " | " | " | Double quotation mark |
| ' | ' | ' | ' | Apostrophe |
| © | © | © | © | Copyright sign |
| ® | ® | ® | ® | Registered sign |
| ™ | ™ | ™ | ™ | Trade mark sign |
| € | € | € | € | Euro sign |
| — | — | — | — | Em dash |
| … | … | … | … | Ellipsis |
| → | → | → | → | Rightwards arrow |
Decode Mode
In Decode mode the tool recognises and converts all three entity formats simultaneously — you can paste any mix of named, decimal, and hex entities and the tool will produce the correct original text. Malformed or unrecognised entities (e.g., &unknown; or &#xGHI;) are left unchanged and reported in the warnings panel, so you can spot problems quickly.
Security and XSS Prevention
Cross-site scripting (XSS) is one of the most common web vulnerabilities. It occurs when an attacker injects malicious HTML or JavaScript into a page by exploiting unencoded user input. Encoding <, >, &, ", and ' before rendering user-supplied content in HTML is the fundamental defence. Use this tool to verify your encoding logic or to quickly produce safe HTML snippets for templates, emails, and documentation.
Tips for Developers
- Use HTML-Unsafe Only scope for the most readable output while still protecting against injection — don't over-encode unless necessary.
- The Swap button lets you round-trip your data: encode it, then swap and decode to verify the original text is recovered correctly.
- Hex format is useful when working with code-point–aware tools or when the decimal form would be ambiguous (e.g., in CSS content values).
- For emoji and characters above U+FFFF, the tool emits a single entity (e.g.,
🎉) rather than surrogate pairs — this is correct for HTML5. - Always complement client-side encoding with a server-side sanitisation library in production applications.