Skip to content

← All tools

HTML Entity Encoder / Decoder

Escape the characters that break (or exploit) HTML, decode any &-style entity back to readable text, and look up what   or ’ actually is in the searchable reference table. Everything runs locally in your browser.

New to this? Read the HTML Entity Encoder / Decoder guide →

Mode

HTML entity reference

CharNamedNumericMeaning

When you need to escape

Five characters have jobs in HTML syntax and must be escaped whenever they appear as content: & < > and, inside attribute values, " and '. Escaping user-supplied text before putting it in a page is also the core defence against cross-site scripting — the encode mode here escapes exactly that critical set, plus (optionally) every non-ASCII character for HTML that must survive ASCII-only systems like older email pipelines.

Decoding uses the browser's own parser, so every named entity works — including the obscure ones. Seeing &amp;amp; in your output? That's double-encoding; the guide explains how it happens and how to unwind it. The searchable table below the tool doubles as a quick reference for "what is &nbsp;"-type lookups.

Frequently asked questions

Which characters must be escaped in HTML?

Five: & < > and, inside attribute values, " and '. They have structural jobs in HTML syntax, so writing them as content requires &amp;, &lt;, &gt;, &quot; and &#39;. Escaping user text this way is also the core defence against cross-site scripting.

What is the difference between &mdash; and &#8212;?

Same character, two spellings: a named entity and its decimal codepoint form (hex &#x2014; also works). Named entities only exist for a fixed list and only in HTML — XML knows just five names, which is why &nbsp; breaks RSS feeds. Numeric forms work everywhere.

Why does my page show &amp;amp; as literal text?

Double encoding: some layer escaped text that was already escaped, turning &amp; into &amp;amp;. Decode repeatedly until the text stops changing to repair it, then fix the layer that escapes twice — text should be stored raw and escaped exactly once, at output.

Is my text uploaded?

No. Encoding and decoding run locally in your browser (decoding uses the browser’s own HTML parser, with scripts never executed).

Related tools