HTML Entity Encoder / Decoder
Encode and decode HTML entities — named entities, numeric, hex references
Output Format
Encoding Scope
Encoding only HTML-critical characters: & < > " '
Type or paste text above to encode it as HTML entities. By default only the five HTML-critical characters (& < > " ') are encoded.
What Are HTML Entities?
HTML entities are special text sequences used to represent characters that would otherwise be interpreted as HTML markup, or characters that are difficult to type directly. An entity begins with an ampersand (&) and ends with a semicolon (;).
There are three formats for HTML entity references:
| Format | Example for © | Description |
|---|---|---|
| Named | © | Human-readable name from the HTML specification |
| Decimal numeric | © | Unicode code point as a decimal integer |
| Hex numeric | © | Unicode code point as a hexadecimal number |
All three forms are equivalent — browsers render them identically as the copyright symbol ©. Named entities are the most readable; numeric and hex entities work for any Unicode character, even those without a named entity.
The Five HTML-Critical Characters
Five characters have special meaning in HTML and must be encoded whenever they appear in text content or attribute values:
| Character | Named entity | Decimal | Hex | Meaning |
|---|---|---|---|---|
& | & | & | & | Ampersand — starts entity references |
< | < | < | < | Less-than — starts HTML tags |
> | > | > | > | Greater-than — ends HTML tags |
" | " | " | " | Double quote — delimits attribute values |
' | ' | ' | ' | Apostrophe — delimits attribute values |
Failing to encode these characters in user-supplied content is one of the most common causes of Cross-Site Scripting (XSS) vulnerabilities. Always encode untrusted text before inserting it into HTML.
How to Use the Encoder
Switch to the Encode tab and type or paste any text. The tool encodes it instantly as you type.
Output format:
- Named — uses readable names like
&and©. Falls back to decimal numeric (&#CODE;) for characters without a named entity. - Numeric — uses decimal numeric references like
&for every encoded character. - Hex — uses hexadecimal references like
&for every encoded character.
Encoding scope options:
- Encode non-ASCII (Unicode) characters — also encodes characters with code points above 127, such as accented letters (
é→é), currency symbols (€→€), and emoji. Useful when generating HTML for ASCII-only transport systems. - Encode all special ASCII characters — encodes all non-alphanumeric ASCII characters, not just the five HTML-critical ones. Useful for the strictest possible escaping.
When neither option is checked, only the five HTML-critical characters are encoded — the safe minimum for all HTML content.
How to Use the Decoder
Switch to the Decode tab and paste any HTML that contains entity references. The tool replaces all entity references with their corresponding characters. Supported formats:
- Named entities:
&< ©α€ - Decimal numeric references:
&©♥ - Hex numeric references:
&©♥😀 - Both lowercase and uppercase hex:
&and&
Unrecognised entity names (e.g. ¬anentity;) are left unchanged in the output, matching standard browser behaviour.
Entity Reference Table
The Reference tab shows 40 commonly used HTML entities with all three encoding formats. Use the search box to filter by description or entity name.
Named HTML Entities — Complete Coverage
This tool supports all HTML4 named entities plus selected HTML5 additions, covering:
- HTML critical characters —
&<>"' - Common symbols —
©®™€£¥¢ - Punctuation —
–—‘’“”…• - Mathematical symbols —
∞≠≤≥∑∏√π - Arrows —
←→↑↓↔ - Greek alphabet —
αthroughωand uppercase equivalents - Accented Latin characters — all 96 HTML4 accented characters (À through ÿ)
- Miscellaneous —
°±×÷½and more
Common Use Cases
Preventing XSS — Before inserting user-provided text into HTML, encode it to prevent browsers from interpreting it as markup. For example, a user who enters <script>alert(1)</script> should have their input converted to <script>alert(1)</script>.
HTML email content — Many email clients have limited Unicode support. Encoding non-ASCII characters as numeric entities (© instead of ©) ensures they display correctly across all email clients.
Static site generation — When building HTML programmatically, encoding special characters prevents accidental tag injection and keeps markup well-formed.
Configuration files and data formats — XML and some configuration formats use the same & < entity syntax. This tool can be used to safely embed HTML fragments in XML, XHTML, or RSS feeds.
Copying from design tools — Characters like — (em dash), " (curly quotes), and © (copyright) may need to be encoded to —, “, and © when pasting into template systems that expect plain ASCII entity syntax.
Frequently Asked Questions
Do I need to encode HTML entities in modern HTML5?
For the five HTML-critical characters (& < > " '), yes — always. For other characters like accented letters and currency symbols, modern HTML5 documents with charset="UTF-8" can use them directly. You only need to encode non-ASCII characters if your toolchain cannot preserve the UTF-8 encoding.
What is the difference between ' and '?
Both represent the apostrophe/single-quote character. ' is defined in XML and XHTML but was not part of HTML4 (though all modern browsers support it). ' is the decimal numeric entity and works everywhere. For maximum compatibility, use ' or ' in HTML4 documents.
Why does my decoder output not match what I expected?
If an entity name is not in the tool’s entity map (e.g. ‌ in an older build), it will be left unchanged. All five HTML-critical entities and 200+ named entities are supported. For unknown characters, use numeric or hex entities (&#CODE;) which can represent any Unicode code point.
Can this tool encode emoji?
Yes. Select the Encode non-ASCII option and use the Numeric or Hex format. For example, 😀 (U+1F600) encodes to 😀 or 😀. Named entities for emoji do not exist in the HTML specification.
Is my data processed on the server? No. All encoding and decoding happens entirely in your browser using JavaScript. Nothing is sent to any server.