HTML Entity Encoder/Decoder

HTML entities are special text sequences representing characters that have special meaning in HTML or can't be typed directly. The less-than sign < must be written as < to prevent browsers interpreting it as a tag. Entities can be named (&), decimal (&), or hex (&) — all produce the same character.

Always encode when displaying user-generated content containing <, >, &, or quotes in HTML. Skipping this creates XSS (Cross-Site Scripting) vulnerabilities. The five mandatory encodes are: &→&, <→<, >→>, "→", '→'.

Named entities use aliases: & for &, © for ©. Numeric entities use the Unicode codepoint: & (decimal) or & (hex) for &. Named entities only cover a limited set; numeric entities work for any Unicode character.

Classic trick: create a textarea, set innerHTML to the encoded string, then read .value — the browser decodes automatically. function decodeEntities(s) { var t = document.createElement('textarea'); t.innerHTML = s; return t.value; } This tool uses the same technique.

Not necessarily. If your HTML document declares <meta charset="UTF-8"> and is served with Content-Type: text/html; charset=UTF-8, UTF-8 characters (like é, ñ, 中文) are fine as-is. You only need to encode characters with HTML meaning (< > & " '). The "Encode all non-ASCII" toggle is useful for legacy systems that can't handle multibyte characters.