🔣 HTML Entity Encoder and Decoder

Q: Which characters must I escape in HTML?

Five characters are reserved: the ampersand (&), the less-than sign ( ), the double quote ("), and the single quote ('). Escaping these covers most cases; other characters are optional.

By ToolNimba Editorial Team · Updated 2026-06-19

Text to encode

Encode all non-ASCII characters too (accents, emoji, symbols) Use named entities where possible (© over ©)

Encoded HTML

Type some text and press Encode.

This HTML entity encoder and decoder converts text to safe HTML entities and back again. Encoding turns characters that have meaning in markup, such as the less-than sign, the ampersand, and quotation marks, into entities like < and & so a browser renders them as literal text rather than treating them as code. Decoding does the reverse, turning entities back into the characters they stand for. Everything runs in your browser, so the text you paste never leaves your device.

What is the HTML Entity Encoder?

HTML entities are short codes that represent a character without typing the character itself. They exist because a handful of characters are reserved: the browser reads a less-than sign as the start of a tag and an ampersand as the start of an entity. If you want those characters to appear on screen as ordinary text, you have to write them as entities instead, for example < for < and & for &. The same trick lets you include characters that are hard to type or that might not survive a particular file encoding, such as a copyright sign or an em dash.

Every entity comes in three forms. A named entity uses a memorable label, like © for the copyright sign. A decimal numeric entity uses the character's Unicode code point in base ten, like © for the same sign. A hexadecimal numeric entity uses the code point in base sixteen, like ©. All three produce the identical character. Named entities read more clearly but only a few hundred names exist, so numeric entities are the universal fallback for anything else, including emoji.

When you encode, you usually only need to escape the five characters that are special in HTML: the ampersand, the less-than and greater-than signs, and the two kinds of quotation mark. Encoding more than that is optional. This tool can also encode every non-ASCII character, which is handy when a system can only safely transmit plain ASCII. When you decode, the order matters: the ampersand must be turned back last, or you risk double-decoding. This tool uses the browser's own parser to decode, so all named, decimal, and hexadecimal entities resolve correctly in one pass.

When to use it

Displaying example HTML or code on a web page so the tags show as text instead of rendering.
Escaping user-supplied text before inserting it into a page, to help prevent broken layout and injection.
Cleaning up content pasted from a CMS or email where characters arrived as raw entities like &amp;.
Encoding accented names or symbols into ASCII-safe entities for an older system or a strict data feed.

How to use the HTML Entity Encoder

Choose Encode to turn text into entities, or Decode to turn entities back into text.
Paste or type your content into the input box.
For encoding, optionally tick "Encode all non-ASCII" and choose whether to prefer named entities.
Read the result, then press Copy to put it on your clipboard. Use Swap to feed the result back as new input.

Formula & method

Encode: replace each reserved character with its entity, e.g. & → &, < → <, > → >, " → ", ' → '. A numeric entity is &#N; (decimal) or &#xH; (hex) where N or H is the Unicode code point.

Worked examples

Showing a snippet of HTML as text: <a href="x">Go</a>

Escape each reserved character left to right.
< becomes < and > becomes >
The double quotes become "
There is no & in the snippet, so nothing else changes.

Result: <a href="x">Go</a>

The copyright sign © is code point 169, which has the name ©
The space and digits are plain ASCII, so they stay as they are.
The é in Café is code point 233 (hex E9) with no common name, so it becomes é

Decoding 5 > 3 && 2 < 4 back to plain text.

> resolves to >
< resolves to <
Each & resolves to a single &

Result: 5 > 3 && 2 < 4

The five reserved HTML characters and their entities

Character	Named entity	Decimal	Hex
&	&	&	&
<	<	<	<
>	>	>	>
"	"	"	"
'	' or '	'	'

Common symbol entities

Symbol	Named entity	Decimal	Hex
© copyright	©	©	©
® registered	®	®	®
™ trademark	™	™	™
€ euro	€	€	€
£ pound	£	£	£
non-breaking space
— em dash	—	—	—

Common mistakes to avoid

Encoding the ampersand twice. If you encode text that already contains entities, &copy; turns into &amp;copy; and shows on the page as © instead of the symbol. Decode first, or only encode raw text.
Using ' in old HTML. The named entity ' for the apostrophe is valid in XHTML and HTML5 but not in HTML4. For the widest compatibility, the numeric ' is safer, which is why this tool outputs '.
Forgetting the trailing semicolon. An entity must end with a semicolon, like &. Writing &amp without it may still render in some browsers but is technically invalid and can break parsing.
Relying on encoding alone for security. Escaping the five reserved characters helps prevent broken markup, but safe output depends on context (HTML body, attribute, URL, script). Use the right encoding for each context, not just one blanket pass.

Glossary

HTML entity: A code that represents a single character, written as an ampersand, a name or number, and a semicolon, such as & or &.
Reserved character: A character that has special meaning in HTML and must be escaped to appear as text: & < > " and '.
Code point: The numeric identifier Unicode assigns to a character, for example 169 for the copyright sign.

Frequently asked questions

What does an HTML entity encoder do?

It converts characters that have special meaning in HTML, such as <, >, &, and quotes, into entity codes like < and & so they display as literal text instead of being read as markup. It can also turn entities back into plain characters.

Which characters must I escape in HTML?

Five characters are reserved: the ampersand (&), the less-than sign (<), the greater-than sign (>), the double quote ("), and the single quote ('). Escaping these covers most cases; other characters are optional.

What is the difference between named and numeric entities?

A named entity uses a label, like ©, while a numeric entity uses the character code, like © (decimal) or © (hex). They produce the same character; named entities are easier to read but limited in number.

How do I decode HTML entities back to text?

Switch this tool to Decode and paste the text. It resolves named, decimal, and hexadecimal entities in one pass using the browser parser, so &copy; becomes © and &amp; becomes a single ampersand.

Is it safe to paste sensitive text here?

Yes. All encoding and decoding happens locally in your browser with plain JavaScript. Nothing is uploaded, sent over the network, or stored, so the text never leaves your device.

Does this prevent cross-site scripting (XSS)?

Escaping the reserved characters reduces the risk of injected markup, but full protection depends on encoding for the correct context (HTML body, attribute, URL, or script) and other defenses. Treat this tool as one helpful step, not a complete security solution.