RevealTheme logo

HTML Entity Encoder & Decoder

Encode the five HTML-significant characters (ampersand, less-than, greater-than, double-quote, and apostrophe) into entities for safe embedding, and decode any HTML entities back to plain text. Everything runs in your browser.

How to use this tool

  1. 1

    Pick a mode with the Encode or Decode toggle at the top.

  2. 2

    Paste or type your text into the input box.

  3. 3

    Read the converted result in the output panel below, which updates as you type.

  4. 4

    Select and copy the output to use in your HTML or document.

What does this HTML entity tool actually do?

HTML entities are escape sequences that stand in for characters the browser would otherwise treat as markup. In Encode mode this tool replaces exactly five characters: ampersand becomes &, less-than becomes <, greater-than becomes >, the double quote becomes ", and the apostrophe becomes the numeric reference '. Note it uses ' rather than the named ', because ' is not defined in HTML4 and can fail in older parsers. It does not touch accented letters, emoji, or other non-ASCII characters — on a UTF-8 page those render fine as-is, so they are intentionally left alone. Encode runs as a plain chain of string replacements, with the ampersand escaped first so existing entities are not double-mangled. Decode mode works differently: it assigns your input to a hidden textarea's innerHTML and reads back the decoded value, which means the browser's own parser resolves the entities. That covers the full set of named entities (©,  , —) and numeric references (©, —), not just the five that Encode produces. Because decode relies on the live DOM, it only runs in the browser.

Common use cases

  • Pasting a code snippet into a blog post or docs so tags like <div> display literally instead of rendering.

  • Escaping user-supplied text before dropping it into an HTML template to avoid breaking the markup.

  • Decoding entity-laden strings copied from page source, RSS feeds, or scraped HTML back into readable text.

  • Turning a stray &amp;nbsp; or &amp;mdash; from a CMS export back into a normal space or em dash.

  • Preparing example strings for tutorials where you need to show the raw entity form of a character.

  • Quickly checking what &#39; or &#x2014; decodes to without writing throwaway code.

Frequently asked questions

Which characters does Encode actually change?
Only five: & < > " and '. Everything else, including accented letters and emoji, is passed through unchanged because it is already valid on a UTF-8 page.
Why does the apostrophe become &#39; instead of &apos;?
&apos; is not part of the HTML4 named-entity set and breaks in some older parsers, so the tool uses the numeric reference &#39;, which is universally supported.
Does Decode handle entities this tool can't produce?
Yes. Decode uses the browser's own HTML parser, so it resolves the full range of named entities (like &copy; and &nbsp;) and numeric references (like &#169; and &#x2014;), well beyond the five characters Encode covers.
Is this enough to prevent XSS?
It handles the core character escaping for HTML text content, but context matters. Inserting data into attributes, URLs, JavaScript, or CSS needs context-specific escaping. For security-critical output, use a vetted templating engine or sanitizer rather than relying on a generic encoder.
Will encoding twice break my text?
Yes. Encode escapes the ampersand, so running already-encoded text through again turns &amp;lt; into &amp;amp;lt;. Encode raw text once; if you already have entities, use Decode first.
Is my text uploaded anywhere?
No. All encoding and decoding happens locally in your browser with plain JavaScript and the DOM. Nothing you type is sent to a server.
Why does Decode need a browser?
Decode works by writing your input into a textarea element and reading back its decoded value, which depends on the live DOM. That logic only executes in the browser, not during server-side rendering.

Related tools