glunty

HTML Entity Encoder & Decoder

Convert special characters to and from HTML entities. Local only.

What this tool does

HTML entity encoding replaces characters that have special meaning in HTML with escape sequences so they render as literal text instead of being parsed as markup. The five characters that always need encoding are &, <, >, ", and '. This tool encodes those (named-mode), or every special character as numeric references (numeric-mode), or every non-ASCII character (all-mode, useful for older systems that mangle UTF-8). Decoding reverses any of these. Everything happens in your browser.

How to use it

Paste your text into the input. Choose a mode: Named for the five core entities (smaller output, more readable), Numeric for those same five but as numeric references (more portable across HTML parsers), All non-ASCII numeric when you also want every accented or non-Latin character escaped. Press Encode or Decode. Example: encoding A & B in named mode produces A &amp; B.

Common use cases

  • Pasting code samples into a CMS or static-site source where HTML tags would otherwise render as elements.
  • Safely embedding user-submitted text into HTML attributes or tag content (still preferable to use a templating engine that auto-escapes).
  • Decoding entity-encoded text copied from a "view source" browser pane.
  • Converting between named and numeric forms when integrating with a parser that only handles one variant.
  • Producing email-safe content when the receiving client is known to mangle UTF-8.

Common pitfalls

  • Double-encoding. Encoding already-encoded text turns &amp; into &amp;amp;. If you suspect input is already encoded, decode first and verify, then encode again only if needed.
  • Attribute context vs text context. Inside an HTML attribute value, the quote character (matching the surrounding quote) must be encoded. Inside an attribute value, > may not strictly need encoding, but encoding it is still safe and predictable. When in doubt, encode all five core characters always.
  • Entity encoding is not XSS prevention by itself. Just encoding the five core characters protects HTML text-content and most attribute uses, but not URL contexts (use URL encoding) or JavaScript contexts (use JS string escaping or a serializer). Auto-escaping at template render time is the right layer for security.

Frequently asked questions

Why does &amp; sometimes appear in URLs inside HTML?
When URL parameters separated by & appear inside an HTML attribute value, the & must be encoded as &amp; so the HTML parser does not try to interpret it as the start of an entity. The encoded HTML still produces the correct URL when the link is followed; it is just escaped at the HTML layer.
When should I use named entities versus numeric?
Named entities (&amp; &lt; &gt; &quot; &#39;) are easier to read and write. Numeric entities (&#38; etc.) are more portable across HTML and XML parsers. The big five are universally supported as named; less common ones (like &lambda;) may not work in strict XML. When in doubt, prefer named for HTML readability.
Is HTML entity encoding sufficient to prevent XSS?
Only for HTML text-content and most attribute values, and only when applied uniformly. URL contexts (href, src) need URL encoding plus careful schema handling (no javascript: URLs). JavaScript contexts (script tags, event handlers) need JS escaping. Auto-escaping at template render time, handled by your templating engine, is the right layer; manual entity encoding is a fallback.
Why is &apos; not always recognized?
&apos; is an XML entity and was not defined in HTML 4. HTML5 added it but older HTML parsers may not recognize it. The numeric form &#39; is universally supported. Modern browsers handle both.
What is the difference between encodeURIComponent and HTML entity encoding?
They serve different layers. URL percent-encoding handles characters with special meaning in URLs; HTML entity encoding handles characters with special meaning in HTML markup. A single character may need both: an & inside an href attribute first becomes %26 (URL-encoded as a parameter separator), then sometimes the & itself in the resulting URL becomes &amp; in the surrounding attribute.
Does decoding here handle every HTML entity?
This tool decodes the five common named entities (&amp; &lt; &gt; &quot; &apos;) plus &nbsp; plus all decimal numeric (&#NNN;) and hexadecimal numeric (&#xHHHH;) forms. Less common named entities like &eacute; or &lambda; are not in the lookup table and would need to be in numeric form to decode correctly.

Embed this tool

Free for any use; attribution appreciated. Paste this on your site:

The embed runs the same tool that lives at this URL. No tracking; no ads inside the embed. Resize height as needed for your layout.

Cite this tool

For academic, journalistic, or technical references. Pick a format:

Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.

Embedded tool from glunty.com