HTML Entity Encoder/Decoder

Encode special characters to HTML entities or decode HTML entities back to characters.

Input

Common Entities

& → &
< to &lt;
> to &gt;
" → "
© → ©
® → ®
€ → €
£ → £
• → •

Encoded HTML

<div class=&quot;example&quot;>Hello & Welcome!</div>

Preview Rendered

Hello & Welcome!

Entity Reference

&&
<<
>>
"&quot;
'&#39;
&nbsp;
©&copy;
®&reg;
&trade;
&euro;
£&pound;
¥&yen;
¢&cent;
§&sect;
°&deg;
±&plusmn;
×&times;
÷&divide;
&bull;
&hellip;

What Are HTML Entities?

HTML entities are special sequences of characters used to represent reserved or non-printable characters in HTML markup. Because HTML uses angle brackets, ampersands, and quotation marks as structural syntax, displaying those same characters as literal text requires escaping them into entity form. Without proper encoding, a raw < character would be interpreted as the start of an HTML tag rather than displayed as visible text.

An HTML entity begins with an ampersand (&) and ends with a semicolon (;). Between those delimiters, you write either a named identifier (for example &amp; for the ampersand itself) or a numeric code point (for example &#38; for the same character). Both forms are equally valid; named entities are more readable while numeric entities cover every Unicode code point regardless of whether a named alias exists.

HTML entities solve three overlapping problems. First, they prevent browser parsing errors when special syntax characters appear in text content. Second, they allow authors to insert characters that are absent from their keyboard layout, such as the Euro sign or the trademark symbol . Third, they protect web applications from cross-site scripting (XSS) injection by ensuring that user-supplied angle brackets and quotes are rendered as harmless display characters rather than executed markup.

The HTML Entity Encoder tool automates the conversion in both directions. Paste raw text to encode it into safe HTML, or paste entity-laden markup to decode it back to human-readable characters. Choose between named entities for readability or numeric entities for maximum Unicode portability.

How the Encoder and Decoder Work

The encoder operates by scanning the input string character by character and replacing each special character with its corresponding entity. Two encoding strategies are available:

Named Entity Encoding

The tool maintains an internal lookup table mapping characters to their standard named entities. When a character in the input matches a key in that table, it is replaced by the named entity value. For instance, every occurrence of & becomes &amp;, every < becomes &lt;, and every > becomes &gt;. Named entities are defined by the HTML specification and are supported in all modern browsers.

Numeric Entity Encoding

When numeric encoding is selected, the tool examines the Unicode code point of each character. If the code point is greater than 127 (i.e., outside the basic ASCII printable range) or if the character is one of the five HTML-reserved characters (&, <, >, ", '), it is replaced by its decimal numeric entity in the form &#N; where N is the decimal code point.

Decoding

Decoding reverses both formats simultaneously. The tool first applies a reverse lookup to convert every known named entity back to its original character. It then applies two regular-expression replacements: /&#(d+);/g to handle decimal numeric entities and /&#x([0-9a-fA-F]+);/g to handle hexadecimal numeric entities. The result is fully human-readable plain text.

Numeric Entity Encoding Rule

Encode char c as &#N; where N = charCodeAt(c), if N > 127 or c ∈ {&, <, >, ", '}

Where:

  • c= The character being evaluated
  • N= The decimal Unicode code point of the character (charCodeAt result)
  • &#N;= The resulting decimal numeric HTML entity

Named vs. Numeric Entities: When to Use Each

Choosing between named and numeric HTML entities depends on your use case, the characters involved, and your audience's browser compatibility requirements.

Named Entities

Named entities are defined in the HTML specification and have human-friendly identifiers. &lt; is instantly recognizable as a less-than sign; &copy; obviously represents a copyright symbol. They improve code readability in source views and are universally supported by all HTML5-compliant browsers. Use named entities when you want your HTML source to remain easy to audit by colleagues or static analysis tools.

Numeric Entities

Numeric entities can represent every Unicode character, not just the roughly 250 characters that have named aliases. If you need to encode an obscure mathematical symbol, a rare CJK character, or an emoji, a numeric entity will always work even when no named alias exists. Numeric entities also travel safely through legacy systems and XML parsers that do not recognize HTML5 named entities. Use numeric entities when maximum portability across parsers and encoding-agnostic systems is more important than source readability.

The Five Essential Entities

Regardless of which encoding style you choose, the following five characters should always be encoded in HTML attributes and text content:

Character Named Entity Numeric Entity Reason to Encode
&&amp;&#38;Starts all entities; ambiguous without encoding
<&lt;&#60;Opens HTML tags; causes parsing errors in text
>&gt;&#62;Closes HTML tags; may break markup structure
"&quot;&#34;Terminates attribute values delimited by double quotes
'&#39;&#39;Terminates attribute values delimited by single quotes

HTML Encoding and Web Security (XSS Prevention)

One of the most important practical applications of HTML entity encoding is defending against cross-site scripting (XSS) attacks. XSS is a class of web vulnerability where an attacker injects malicious script into a page that is later viewed by other users. If a web application outputs user-supplied text directly into an HTML page without encoding it, an attacker can submit input containing <script> tags or event attributes like onerror= that the browser will execute.

By encoding user input before rendering it in HTML, you neutralize the attack. A submitted payload of <script>alert(1)</script> becomes &lt;script&gt;alert(1)&lt;/script&gt;, which the browser renders as visible text rather than executable code. The attacker's script never runs.

Security-conscious developers should encode output in context-appropriate ways. Text content nodes require encoding of &, <, and >. HTML attribute values additionally require encoding " and '. JavaScript string contexts require JavaScript string escaping, not just HTML encoding. Always apply the encoding strategy that matches the output context.

This HTML entity encoder tool is useful during development and code review to verify that specific strings encode correctly. For production applications, rely on a well-maintained server-side library or your templating engine's built-in auto-escaping rather than manual substitution.

Common Use Cases for HTML Entity Encoding

HTML entity encoding is relevant across a wide range of development, content management, and data-exchange scenarios.

Displaying Code Snippets

Technical documentation and developer blogs frequently display HTML source code as visible text. Without encoding, a code sample containing <div> would be interpreted by the browser as an actual div element rather than text. Encoding the snippet with this tool converts it to &lt;div&gt;, which renders correctly inside a <pre> or <code> block.

Email Templates

HTML email clients vary widely in their handling of special characters. Encoding typographic characters such as em dashes (&mdash;), left and right quotes (&ldquo;, &rdquo;), and the non-breaking space (&nbsp;) ensures consistent rendering across Gmail, Outlook, Apple Mail, and other clients.

CMS and Rich-Text Editors

Content management systems sometimes store content with HTML entities rather than raw Unicode to ensure database and export compatibility. Being able to decode entity-encoded content back to readable text helps editors verify what was actually stored and diagnose display inconsistencies.

Data Migration and API Integration

When consuming HTML from third-party APIs, scraped web pages, or legacy content exports, the data often contains HTML entities that need to be decoded before processing, storing in a database, or displaying in a non-HTML interface. The decoder mode handles both named and numeric (decimal and hexadecimal) entity forms in a single pass.

Internationalization

Non-ASCII characters such as accented Latin letters, currency symbols (€, £, ¥), and mathematical operators (±, ×, ÷) can be safely embedded in any HTML document using their numeric entities, eliminating dependence on a correctly declared character encoding.

Worked Examples

Encode an HTML Tag String (Named Entities)

Problem:

Encode the string `<div class="example">Hello & Welcome!</div>` using named entity encoding so it can be displayed as visible text in a browser.

Solution Steps:

  1. 1Set mode to Encode and encoding type to Named Entities.
  2. 2The encoder scans for characters in the named entity table: < → &lt;, > → &gt;, " → &quot;, & → &amp;.
  3. 3The < at position 0 becomes &lt;.
  4. 4The " around 'example' each become &quot;.
  5. 5The > closing the opening tag becomes &gt;.
  6. 6The & before 'Welcome' becomes &amp;.
  7. 7The < before /div becomes &lt; and the > at the end becomes &gt;.

Result:

&lt;div class=&quot;example&quot;&gt;Hello &amp; Welcome!&lt;/div&gt;

Encode a Currency Symbol (Numeric Entities)

Problem:

Encode the string `Price: €49.99 or £39.99` using numeric entity encoding to ensure portability across all parsers.

Solution Steps:

  1. 1Set mode to Encode and encoding type to Numeric Entities.
  2. 2The encoder checks each character's code point using charCodeAt.
  3. 3The € character has code point 8364 (greater than 127), so it encodes to &#8364;.
  4. 4The £ character has code point 163 (greater than 127), so it encodes to &#163;.
  5. 5ASCII characters (P, r, i, c, e, :, space, digits, period) have code points ≤127 and are not in the reserved set, so they pass through unchanged.

Result:

Price: &#8364;49.99 or &#163;39.99

Decode Mixed Named and Numeric Entities

Problem:

Decode the string `&lt;p&gt;Copyright &#169; 2024 &amp; All rights &#x2192; Reserved&lt;/p&gt;` back to plain text.

Solution Steps:

  1. 1Set mode to Decode.
  2. 2The decoder first applies the reverse named-entity lookup: &lt; → <, &gt; → >, &amp; → &.
  3. 3The decimal numeric entity &#169; is matched by /&#(\d+);/g; String.fromCharCode(169) gives ©.
  4. 4The hexadecimal numeric entity &#x2192; is matched by /&#x([0-9a-fA-F]+);/g; parseInt('2192', 16) = 8594; String.fromCharCode(8594) gives →.
  5. 5All substitutions are applied and the fully decoded string is assembled.

Result:

<p>Copyright © 2024 & All rights → Reserved</p>

Encode a JavaScript Alert Payload for Safe Display

Problem:

A security audit needs to display the XSS payload `<script>alert('xss')</script>` as visible text on a documentation page.

Solution Steps:

  1. 1Set mode to Encode and encoding type to Named Entities.
  2. 2The < before script becomes &lt;.
  3. 3The > after script becomes &gt;.
  4. 4The single quotes ' each become &#39; (the tool maps ' to &#39; rather than a named entity).
  5. 5The < before /script becomes &lt; and the final > becomes &gt;.
  6. 6The encoded string is now safe to place inside any HTML element as visible text.

Result:

&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;

Tips & Best Practices

  • Always encode &, <, >, ", and ' when inserting user-supplied text into HTML to prevent XSS vulnerabilities.
  • Use named entities (&amp;lt;, &amp;amp;) in HTML source code you intend humans to read and maintain.
  • Switch to numeric entities when targeting XML parsers or systems that may not support all HTML5 named entity aliases.
  • The Swap button lets you quickly round-trip a string: encode it, then swap and decode to verify the original is recovered.
  • Non-breaking spaces (&amp;nbsp;) prevent line breaks between words in formatted output such as dates and names; encode them explicitly when needed.
  • When displaying code samples in documentation, always encode the snippet first so browsers render it as visible text instead of parsing it as markup.
  • For email templates, encode typographic characters (em dashes, curly quotes, currency symbols) to guarantee consistent rendering across all email clients.
  • Hexadecimal numeric entities (&#x2192;) and decimal numeric entities (&#8594;) are interchangeable; this decoder handles both forms simultaneously.

Frequently Asked Questions

&amp;amp; is the named entity for the ampersand character, while &#38; is its decimal numeric entity (38 being the Unicode/ASCII code point of &). Both produce the same rendered output — a literal ampersand — in any HTML5-compliant browser. Named entities are more readable in source code; numeric entities work in XML and legacy parsers that may not recognize HTML5 named entity aliases.
Regular ASCII spaces (code point 32) do not need to be escaped in HTML text content or most attribute values, and encoding them would make the output unnecessarily verbose and harder to read. The tool does map the non-breaking space to &amp;nbsp; if that specific Unicode character (U+00A0) is present in the input, but ordinary keyboard spaces are left as-is. If you specifically need non-breaking spaces in your layout, type the U+00A0 character or insert &amp;nbsp; manually.
In numeric encoding mode, the tool encodes every character with a code point above 127, which covers the full Unicode Basic Multilingual Plane including accented characters, CJK ideographs, currency symbols, mathematical operators, and most emoji. Characters within the printable ASCII range (code points 32–127) are passed through unchanged unless they are one of the five reserved HTML characters. Named encoding mode only covers the roughly 30 characters that have entries in the built-in named entity table.
HTML entity encoding is an essential defense against reflected and stored XSS in HTML text and attribute contexts, but it is not a complete solution on its own. JavaScript event-handler contexts, CSS property values, and URL parameters each require their own escaping rules. A robust XSS prevention strategy combines output encoding with a strict Content Security Policy, input validation, and the use of a mature templating engine that applies context-appropriate escaping automatically.
The Swap button moves the current output text into the input field and simultaneously toggles the mode between Encode and Decode. This lets you round-trip a string: encode it, verify the result, then swap and decode to confirm the original text is recovered. It is a quick sanity-check workflow that saves you from manually copying and pasting between the two text areas.
The page's decoder supports both decimal entities (&#N;) and hexadecimal entities (&#xN;) in decode mode. When encoding, the tool produces decimal numeric entities. Hexadecimal entities are sometimes preferred when working with Unicode specifications because code points are conventionally written in hex (e.g., U+2192 for →). If you need to produce hexadecimal numeric entities, compute the hex value of the code point manually and wrap it as &#xHEX;.
No. HTML entities use the &name; or &#N; syntax and are parsed by the HTML rendering engine. URL percent-encoding uses the %XX syntax (where XX is a hex byte) and is parsed by URL parsers. They serve different contexts: HTML entities make characters safe inside HTML markup, while URL encoding makes characters safe inside URIs. Mixing them up — for example, using HTML entities inside a query string — is a common developer mistake that leads to double-encoding bugs.

Sources & References

Last updated: 2026-06-05

💡

Help us improve!

How would you rate the HTML Entity Encoder/Decoder?

<>

Editorial Note

MyCalcBuddy Editorial Team

This page is maintained as an educational calculator reference.

Source

Formula Source: Standard Mathematical References

by Various

UpdatedLast reviewed: May 2026
CheckedFormula checks are based on standard references and internal QA review.