HTML Encoder / Decoder
Convert special characters to safe HTML entities and decode them back again. Essential for preventing XSS vulnerabilities, displaying code in HTML, and safely including user-generated content on web pages. Runs entirely in your browser.
Common HTML Entity Reference
| Character | Entity name | Entity number |
|---|---|---|
| & | & | & |
| < | < | < |
| > | > | > |
| " | " | " |
| ' | ' | ' |
| |   | |
| © | © | © |
| ® | ® | ® |
| € | € | € |
Why HTML Encoding Matters for Security
Cross-site scripting (XSS) attacks inject malicious scripts into web pages by exploiting unencoded user input. If a user submits <script>alert(1)</script> and your application displays it raw, the browser executes it. Encoding all user-supplied content before displaying it prevents this.
Encoding vs Escaping
HTML encoding and HTML escaping mean the same thing in practice — converting reserved characters to entities. "Encoding" is the broader term; "escaping" refers specifically to making characters safe within a particular context (HTML, URL, JavaScript, etc.). Always use context-appropriate escaping. For URLs use URL Encoding instead.
Frequently Asked Questions
What are HTML entities?
Codes that represent reserved characters in HTML. For example, < represents < and & represents & — preventing browsers from treating them as markup.
Which characters need to be encoded?
At minimum < > & and " must be encoded to prevent injection. Other characters like accented letters can also be encoded for safety.
What is the difference between HTML and URL encoding?
HTML encoding uses entities (e.g. <) for HTML documents. URL encoding uses percent sequences (e.g. %3C) for web addresses.
Does this tool encode all Unicode characters?
Yes. Enable "Encode extended chars" to convert all non-ASCII characters to their numeric HTML entity equivalents.