HTML Encoder & Decoder — Encode HTML Entities Online Free
Our free HTML Encoder & Decoder tool lets you instantly convert special characters to HTML entities and vice versa. Whether you need to prevent XSS vulnerabilities, display code snippets safely, or handle special characters in your web content, this tool makes encoding and decoding HTML entities effortless. No registration required — paste your text, click encode or decode, and copy the result.
What Are HTML Entities?
HTML entities are special character sequences that represent characters which have reserved meanings in HTML. Since characters like <, >, and & are used as part of HTML syntax, they cannot be directly included in content without causing parsing issues. HTML entities solve this problem by providing alternative representations.
Every HTML entity begins with an ampersand (&) and ends with a semicolon (;). They come in two forms: named entities (like & for &) and numeric entities using Unicode code points (like & for & or & for the hexadecimal version).
The HTML specification defines hundreds of named entities covering everything from basic symbols to mathematical operators, Greek letters, arrows, and special typographic characters. Understanding and properly using these entities is fundamental to creating robust, secure, and correctly-rendered web pages.
Why Encode HTML? Security & Display
XSS Prevention
Cross-Site Scripting (XSS) remains one of the most common web security vulnerabilities. Attackers exploit unencoded user input to inject malicious JavaScript code into web pages. When a browser encounters <script>alert('hacked')</script> in page content, it executes the script if the characters aren't properly encoded.
By encoding all user-supplied content before rendering it in HTML, you neutralize potential attack vectors. The encoded version <script> is displayed as text rather than executed as code, effectively blocking the attack while still showing the content to users.
Displaying Special Characters
Beyond security, HTML encoding is essential for correctly displaying characters that conflict with HTML syntax. If you want to show a less-than sign (<) or an ampersand (&) in your content, you must use their entity equivalents. Without encoding, browsers may interpret these characters as HTML tags or entity beginnings, causing broken layouts.
Encoding is also necessary for characters not available on standard keyboards — such as copyright symbols (©), trademark signs (™), em dashes (—), and various currency symbols (€, £, ¥). HTML entities provide a reliable, cross-platform way to include these characters.
Common HTML Entities Reference Table
Below is a comprehensive table of the most frequently used HTML entities that every web developer should know:
| Character | Named Entity | Numeric Entity | Description |
|---|---|---|---|
| & | & | & | Ampersand |
| < | < | < | Less than |
| > | > | > | Greater than |
| " | " | " | Double quote |
| ' | ' | ' | Apostrophe |
|   | Non-breaking space | |
| © | © | © | Copyright |
| ® | ® | ® | Registered |
| ™ | ™ | ™ | Trademark |
| € | € | € | Euro sign |
| £ | £ | £ | Pound sign |
| ¥ | ¥ | ¥ | Yen sign |
| ¢ | ¢ | ¢ | Cent sign |
| — | — | — | Em dash |
| – | – | – | En dash |
| • | • | • | Bullet |
| … | … | … | Horizontal ellipsis |
| † | † | † | Dagger |
| ‡ | ‡ | ‡ | Double dagger |
| § | § | § | Section sign |
| ¶ | ¶ | ¶ | Paragraph sign |
| ° | ° | ° | Degree sign |
| ± | ± | ± | Plus-minus |
| × | × | × | Multiplication |
| ÷ | ÷ | ÷ | Division |
| ← | ← | ← | Left arrow |
| → | → | → | Right arrow |
| ↑ | ↑ | ↑ | Up arrow |
| ↓ | ↓ | ↓ | Down arrow |
| ∞ | ∞ | ∞ | Infinity |
| ≠ | ≠ | ≠ | Not equal |
| ≤ | ≤ | ≤ | Less than or equal |
| ≥ | ≥ | ≥ | Greater than or equal |
URL Encoding vs HTML Encoding
While both are encoding mechanisms for web content, URL encoding and HTML encoding serve fundamentally different purposes and should not be confused:
| Feature | HTML Encoding | URL Encoding |
|---|---|---|
| Purpose | Safe display in HTML content | Safe transmission in URLs |
| Format | &entity; or &#number; | %hexcode |
| Space | or | %20 or + |
| Ampersand | & | %26 |
| Use Case | Web page content, attributes | Query strings, path segments |
| Standard | HTML/XML specification | RFC 3986 |
A common mistake is using URL encoding where HTML encoding is needed, or vice versa. For example, using %26 inside HTML content will display as literal "%26" rather than an ampersand. Always match your encoding type to the context where the text will appear.
How HTML Encoding Works
The HTML encoding process scans through your text character by character, identifying any characters that need to be replaced with their entity equivalents. The five mandatory characters to encode are &, <, >, ", and '. Additional characters may be encoded depending on the context — for example, encoding non-ASCII characters ensures compatibility across all character encodings.
Modern frameworks and templating engines typically handle encoding automatically. React escapes content in JSX by default, preventing XSS. PHP offers htmlspecialchars() and htmlentities(). JavaScript provides no built-in function, but libraries and the DOM API's textContent property handle it safely. Despite these safeguards, understanding manual encoding remains crucial for debugging, working with raw HTML, and handling edge cases.
Best Practices for HTML Encoding
- Always encode user input — Never trust user-supplied data. Encode all content from forms, URL parameters, cookies, and external APIs before inserting into HTML.
- Encode based on context — Different contexts (HTML body, attributes, JavaScript, CSS) require different encoding rules. Use context-appropriate encoding functions.
- Use framework defaults — Modern frameworks like React, Angular, and Vue encode by default. Avoid bypassing these protections (e.g., dangerouslySetInnerHTML) unless absolutely necessary.
- Don't double-encode — Encoding already-encoded text produces garbled output like &amp;. Check if content is already encoded before processing.
- Prefer named entities for readability — When writing HTML by hand, use named entities like © instead of © for better code readability.
- Test with special characters — Always test your encoding with edge cases: multi-byte characters, emoji, right-to-left text, and null bytes.
Frequently Asked Questions
What are HTML entities?
HTML entities are special codes used to represent characters that have special meaning in HTML. For example, & represents &, < represents <, and > represents >. They allow you to safely display these characters in web pages without the browser interpreting them as HTML code. Entities begin with an ampersand and end with a semicolon.
Why do I need to encode HTML?
HTML encoding is essential for two main reasons: preventing Cross-Site Scripting (XSS) attacks by neutralizing malicious scripts injected through user input, and correctly displaying special characters that would otherwise be interpreted as HTML markup by the browser. Without encoding, characters like < and > would be treated as tag delimiters.
What is the difference between HTML encoding and URL encoding?
HTML encoding converts characters to HTML entities (like & for &) for safe display in web pages. URL encoding converts characters to percent-encoded format (like %20 for space) for safe transmission in URLs. They serve different purposes and use different encoding schemes — always match the encoding to the context.
Which characters must be encoded in HTML?
The five characters that must always be encoded in HTML are: & (ampersand) as &, < (less than) as <, > (greater than) as >, " (double quote) as ", and ' (apostrophe) as ' or '. Additional characters should be encoded when outside the ASCII range or in specific contexts like attribute values.
Can I encode entire HTML documents?
Yes, you can encode entire HTML documents or code snippets. This is useful when you want to display HTML source code on a web page without the browser rendering it, such as in code tutorials, documentation, or content management systems. The entire markup becomes visible as text rather than being rendered.
What is XSS and how does encoding prevent it?
XSS (Cross-Site Scripting) is a security vulnerability where attackers inject malicious scripts into web pages viewed by other users. HTML encoding prevents XSS by converting special characters like < and > into harmless entities (< and >), so injected scripts are displayed as text rather than executed by the browser.
What are named vs numeric HTML entities?
Named entities use readable names like & or ©, while numeric entities use Unicode code points like & (decimal) or & (hexadecimal). Named entities are more readable but limited to predefined characters, while numeric entities can represent any Unicode character. Both are equally valid in HTML.
Is HTML encoding the same as HTML escaping?
Yes, HTML encoding and HTML escaping are essentially the same thing. Both refer to the process of converting special characters to their HTML entity equivalents so they are safely displayed in web pages without being interpreted as code. The terms are used interchangeably in the web development community.