HTML Entity Encoder / Decoder

Type or paste, then choose to encode or decode.

Advertisement In-content responsive — ad slot

Escape and unescape HTML safely

Paste text to convert HTML-significant characters into entities, or paste entity-encoded text to turn it back into readable characters. Encoding escapes the four characters that matter most — & < > " and the apostrophe — so your text displays exactly as written instead of being read as markup. It all runs in your browser.

Why entities exist

Some characters are part of HTML's own syntax. An unescaped < can start a tag, and a stray & can begin an entity, so pasting raw text into a page can break the layout — or, with user-supplied text, open the door to cross-site scripting. Converting those characters to entities like &lt; and &amp; makes the text safe to display.

Rule of thumb: encode any untrusted or code-sample text before dropping it into HTML; decode when you need the original characters back.

Common entities

  • &&amp;
  • <&lt;  and  >&gt;
  • "&quot;  and  '&#39;

Frequently asked questions

What are HTML entities?

HTML entities are codes that represent characters which have special meaning in HTML or can't be typed directly. For example, the less-than sign becomes &lt; and an ampersand becomes &amp;, so the browser displays the character instead of interpreting it as markup.

When should I encode HTML entities?

Encode any text you're inserting into HTML that came from users or other untrusted sources, and any code samples you want shown literally. Escaping the characters <, >, &, and quotes prevents the text from breaking your markup or enabling injection.

Is encoding HTML entities the same as security sanitizing?

Escaping entities is an important part of preventing cross-site scripting when displaying text, but full sanitizing of rich HTML input needs a dedicated library. Use entity encoding for plain text output, and a vetted sanitizer when you must allow some HTML.