Prevent XSS in HTML Output
Encoding user-supplied text before inserting it into HTML prevents cross-site scripting attacks where injected script tags execute in visitors' browsers.
UtilityKit
500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.
HTML Entities Encoder Decoder
Encode and decode HTML entities in named/basic and numeric modes.
About HTML Entities Encoder Decoder
HTML entities are the escape mechanism that allows special characters to appear in HTML without being interpreted as markup. The less-than sign (<) becomes <, the ampersand (&) becomes &, and quotation marks become " or ' — each encoding prevents the browser from treating the character as HTML syntax. This encoder/decoder lets you move freely between raw text and entity-encoded HTML. Use the encoder to safely embed user-generated content, code snippets, or mathematical expressions in HTML without breaking page structure. Use the decoder to recover plain text from an over-encoded source, read entity-heavy CMS output, or understand what a string will display as when rendered. Both named entities (©, —, ) and numeric entities (©, —,  ) are supported. All operations run instantly in your browser.
Why use HTML Entities Encoder Decoder
Named and Numeric Entity Support
Handles both named entities like © and — and numeric entities like © and — in both encode and decode directions.
Attribute vs. Text Node Encoding
Correctly encodes quote characters for attribute context (href='...', onclick="...") and angle brackets for text node context, matching the HTML specification.
Decode CMS and Template Output
Recover plain text from HTML sources that double-encode entities or add unnecessary escaping, a common issue in legacy CMS and email template systems.
Non-ASCII to Numeric Entities
Optionally encode all non-ASCII characters (accented letters, emoji, CJK) as numeric HTML entities for maximum compatibility with ASCII-only email or legacy templates.
Instant In-Browser Processing
No server round-trip — encoding and decoding runs client-side so results appear immediately and your text content stays completely private.
How to use HTML Entities Encoder Decoder
- Select the operation mode: Encode (plain text → HTML entities) or Decode (HTML entities → plain text).
- Paste your input text into the input area — results update immediately in the output panel.
- For encoding, choose whether to encode only unsafe characters (<, >, &, ", ') or all non-ASCII characters as numeric entities.
- Review the output to verify the encoding is appropriate for your use case (attribute context vs. text node context).
- Click Copy to copy the encoded or decoded text to your clipboard.
- Clear and paste new content to process additional strings without page reload.
When to use HTML Entities Encoder Decoder
- When embedding user-generated content in HTML and needing to escape it before inserting it into a template to prevent XSS vulnerabilities.
- When writing inline HTML in a CMS, email builder, or static site generator that interprets < and & as markup syntax rather than literal characters.
- When inserting a code snippet or command containing angle brackets into an HTML page and needing the characters to display literally.
- When debugging double-encoded output from a templating engine where < appears in the browser instead of the intended < character.
- When preparing text for an HTML attribute value that contains quotes, ampersands, or special characters that would break the attribute syntax.
- When converting a plain-text legal or technical document containing characters like © ™ — into their HTML entity equivalents for proper rendering.
Examples
Encode code snippet for display in HTML
Input: <script>alert('XSS & injection');</script>
Output: <script>alert('XSS & injection');</script>
Decode entity-heavy CMS output
Input: <h1>Welcome to UtilityKit</h1><p>Your "all-in-one" toolkit</p>
Output: <h1>Welcome to UtilityKit</h1><p>Your "all-in-one" toolkit</p>
Encode special characters for email template
Input: Copyright © 2026 — All rights reserved. Price: $19.99 & free shipping.
Output: Copyright © 2026 — All rights reserved. Price: $19.99 & free shipping.
Tips
- Always encode at minimum the five unsafe characters (&, <, >, ", ') when inserting any user-supplied or external text into HTML, even if it looks safe — defense in depth prevents XSS.
- Use the decode direction to quickly read what a heavily entity-encoded string will actually display as in a browser without needing to open a separate HTML file.
- When writing inline onclick or other event attributes in HTML, double-encode any & in URLs (& → &) to avoid the browser treating it as an entity reference inside the attribute value.
- Non-breaking space ( ) is one of the most overused entities — replace any used purely for indentation or layout with CSS margin/padding for cleaner, more maintainable markup.
- Paste a snippet of your template output into the decoder to diagnose double-encoding issues — if the decoded output contains entity sequences, your pipeline is encoding already-encoded text.
Frequently Asked Questions
What are HTML entities and why are they needed?▾
HTML entities are text replacements for characters that have special meaning in HTML syntax. The < and > characters delimit tags, & starts entity references, and " and ' delimit attribute values. If these characters appear unescaped in HTML content, browsers may misinterpret them as markup. Encoding them (e.g. < becomes <) tells the browser to display the character literally.
What is the difference between double quotes and single quotes when encoded as HTML entities?▾
" is the named entity for the double-quote character (") and is valid in both HTML4 and HTML5. ' is the numeric entity for the apostrophe/single-quote character (') — there is no named entity for it in HTML4, though ' was added in HTML5. Use " in double-quoted attributes and ' or ' in single-quoted attributes.
Should I encode all characters or only unsafe ones?▾
For security purposes, you must encode at minimum: & (→ &), < (→ <), > (→ >), " (→ "), and ' (→ '). For maximum compatibility in ASCII-limited environments like plain-text email bodies or older templating systems, additionally encoding all non-ASCII characters as numeric entities (© for ©) ensures correct display everywhere.
What is double encoding and how do I detect it?▾
Double encoding occurs when already-encoded entities are encoded again — for example, < becomes <, which renders literally as < in the browser instead of <. If you see entity sequences like & or < in your browser output, something in your pipeline is encoding input that was already encoded. Decode once to recover the intended text.
Does encoding HTML entities protect against SQL injection?▾
No. HTML entity encoding only protects output that is rendered in HTML contexts (browsers). For database queries, use parameterized queries or prepared statements — these operate at the SQL layer and are unaffected by HTML encoding. Never rely on HTML encoding as your only defense for database-bound input.
What is the entity and when should I use it?▾
represents a non-breaking space (Unicode U+00A0). Use it to prevent line-breaks between two words that should stay together (e.g. 10 km, Fig. 1), or to add visual spacing in HTML where multiple regular spaces are collapsed to one by the browser. Avoid using it for layout purposes — use CSS margin and padding instead.
Are named entities or numeric entities more compatible?▾
Named entities like © and — are part of HTML4 and HTML5 and are broadly supported. Numeric entities like © and — are even more universal — they work in XML and XHTML contexts where some named entities are not defined. For safety in mixed HTML/XML environments, prefer numeric entities.
Can I use this tool to sanitize HTML from untrusted sources?▾
Encoding converts characters to entities but does not remove HTML structure. If you paste actual HTML with tags into the encoder, the tags themselves are encoded as text. This tool is for encoding plain-text content for safe insertion into HTML — it is not a full HTML sanitizer. For sanitizing rich HTML from untrusted sources, use a library like DOMPurify.
Explore the category
Glossary
- HTML Entity
- A sequence of characters that represents a single character in HTML. Entities begin with & and end with ; and are used to display reserved characters or characters not easily typed. Example: < represents <.
- Named Entity
- An HTML entity identified by a human-readable name rather than a number. Examples: & (ampersand), © (copyright symbol ©), — (em dash —). Named entities are defined in the HTML specification.
- Numeric Entity
- An HTML entity expressed as a Unicode code point number. Decimal format: © (©). Hexadecimal format: © (©). Numeric entities work in both HTML and XML contexts.
- XSS (Cross-Site Scripting)
- A web security vulnerability where an attacker injects malicious scripts into content served to other users. Proper HTML entity encoding of user input is the primary defense when inserting data into HTML context.
- Non-Breaking Space ( )
- Unicode character U+00A0. Unlike a regular space, it prevents a line break at its position and is not collapsed when multiple spaces appear adjacent in HTML source.
- Character Reference
- The formal HTML term for what is commonly called an entity. A character reference can be named (&) or numeric (&) and always resolves to a single Unicode code point.