ToolBelt

HTML Encoder / Decoder

Escape or unescape HTML entities like &, <, >.

Open tool

Overview

Convert text containing reserved HTML characters into entity form (< -> &lt;) or decode entity-laden HTML back to plain text. Handles the named entities (&amp;, &nbsp;, &copy;), numeric entities (&#65;), and hex entities (&#x41;) so anything browser-readable round-trips cleanly.

It's for developers who paste HTML into JSON payloads, embed code samples in markdown, or debug template engines that double-encode their output. Reach for it when a < is showing up literally in rendered output, when escaping a code sample for a CMS, or when a server log has &amp;amp; and you need to find the real source string.

How it works

The HTML5 spec defines a character reference table with several thousand named entities (&amp;, &copy;, &hearts;) plus numeric (&#0123;) and hex (&#x007B;) forms. Encoding replaces the five reserved characters (<, >, &, ", ') with named entities; everything else is left as-is unless aggressive mode is selected, which also escapes non-ASCII to numeric form.

Decoding is more forgiving - it accepts named entities (including the long tail like &ndash;), numeric, and hex forms, and tolerates missing trailing semicolons where unambiguous.

Examples

  • Encode reserved characters: 
    <a href="x">Y & Z</a>
->
&lt;a href=&quot;x&quot;&gt;Y &amp; Z&lt;/a&gt;
  • Decode named entity: 
    Caf&eacute;  ->  Café
  • Numeric decode: 
    &#9731;  ->  (snowman emoji)
  • Double-encoded source: 
    AT&amp;amp;T  ->  AT&amp;T  ->  AT&T

FAQ

Why escape ' and "?

Inside HTML attribute values, the quote that delimits the value must be escaped. Most encoders escape both for safety regardless of context.

What's the difference between &apos; and &#39;?

&apos; is an XML entity, not part of HTML 4. HTML5 added it but for maximum compatibility prefer &#39; (numeric) in HTML output.

Should I use named or numeric entities?

Named entities (&copy;) are more readable; numeric entities (&#169;) are universally supported and shorter for some characters. Choose by audience and tooling.

Does this prevent XSS?

HTML-encoding user input is one layer of defence, but XSS protection depends on the context (HTML body, attribute, URL, JS). Use a context-aware encoder in production code.

Try HTML Encoder / Decoder

An unhandled error has occurred. Reload ×