HTML Entity Encoder / Decoder
Encode HTML entities (& < > ") or decode entity-escaped text. Named, decimal, hex modes.
published
- [FREE]
- [NO_SIGNUP]
- [NO_UPLOAD]
An HTML entity encoder / decoder swaps reserved characters (<, >, &, ", ') and arbitrary code points with their numeric or named entity equivalents. Necessary any time you embed user input into an HTML document.
Privacy
The named-entity table is shipped in the page bundle. The encoder and decoder are plain JavaScript — no network calls.
Frequently asked questions
Why encode HTML entities?
To safely include characters that would otherwise be interpreted as HTML markup. `<script>` rendered as `<script>` is shown as text instead of executed. Encoding is the baseline defense against reflected XSS.
What modes does this tool offer?
Minimal: only the five characters that break HTML (`&`, `<`, `>`, `"`, `'`). All non-ASCII: minimal plus every code point above 127. Numeric decimal / hex: same as all non-ASCII but using `&#NNN;` or `&#xHH;`. Named: prefers named entities like `©` where they exist.
Is encoding alone enough to stop XSS?
Encoding the five HTML-sensitive characters is enough for *element text content*. Attribute values, javascript: URLs, and CSS contexts have their own escaping rules. For everything beyond text content, prefer a sanitizer (DOMPurify) or a templating library that escapes correctly per-context.
Where does the encoding happen?
In your browser. The named-entity table is bundled with the page; nothing is sent over the wire.