HTML Entities
Encode HTML-sensitive characters to named or numeric entities, and decode entity-escaped text. Browser-only.
About this tool
HTML entities let you include characters that would otherwise be
interpreted as markup — or that can’t be typed directly — inside HTML
content. The five most common named entities cover the characters that
break HTML when left raw: &, <,
>, ", and '.
Named mode produces concise output using named
references for the five core characters, plus numeric escapes for any
non-ASCII characters. Numeric mode produces
&#N; escapes for everything non-ASCII or HTML-
significant — useful when you need to be certain a string will round-
trip through old systems that don’t recognize every named entity.
Decoding uses the browser’s HTML parser, which recognizes every standard entity — named or numeric, decimal or hexadecimal.
Frequently asked questions
What is the difference between named and numeric entities?
Named entities like <, &, " are human-readable shortcuts defined by HTML. Numeric entities like <, & reference characters by their Unicode code point. Numeric entities are safer for arbitrary characters; named entities are more readable for the common ones.
Which characters does the encoder escape?
In named mode: & < > " '. In numeric mode: those same characters plus ASCII control characters and all non-ASCII characters, for maximum compatibility in older or constrained environments.
Does the decoder handle all HTML entities?
Yes. Decoding uses the browser’s HTML parser, which recognizes all standard named entities (over 2,000) and both decimal and hexadecimal numeric entities.
Can I use this to sanitize user input for XSS prevention?
Encoding HTML-significant characters is one component of XSS defense, but safe output requires escaping for the exact context (HTML body, attribute, URL, JavaScript). Use a library or framework with a context-aware escaping API for production sanitization.
Is my input sent to your servers?
No. Encoding and decoding happen entirely in your browser.