stoolme
Home/ Developer/ HTML entity encoder

HTML entity encoder

Escape special characters to HTML entities for safe display, or unescape entities back to the original characters.

What this tool does

HTML treats certain characters specially: < starts a tag, & starts an entity, " delimits attribute values, and so on. To display these characters literally in a web page, they have to be written as HTML entities — &lt;, &amp;, &quot;, etc. This tool converts between the two forms in both directions.

The five characters that always need escaping

CharacterEntityWhy
&&amp;Always — otherwise the parser tries to start an entity.
<&lt;Always — otherwise the parser tries to start a tag.
>&gt;For symmetry. Not strictly required, but good practice.
"&quot;Inside attribute values delimited by double quotes.
'&#39;Inside attribute values delimited by single quotes.

These five together are sometimes called the "OWASP minimum" — escape these and you've prevented the most common cross-site-scripting vulnerabilities from user-supplied text.

Escape all non-ASCII?

With "Encode all non-ASCII to entities" turned on, every character above ASCII 127 is also converted to a numeric entity (&#252; for ü, etc.). This is rarely necessary in modern web pages — UTF-8 is universally supported — but it's still useful when the destination system specifies a non-UTF-8 character set, or when debugging a display issue.

Decoding

The decoder accepts both named entities (&amp;) and numeric entities (&#38; or &#x26;). It uses the browser's HTML parser, so all 2,200+ named entities defined in the HTML standard are supported.

When to escape

Always escape user-provided text before inserting it into HTML. Templating languages (Jinja, ERB, Vue, React) escape by default. This tool is for one-off encoding; production code should use the framework's built-in escaping.

Privacy

Encoding and decoding happens in your browser.

Frequently asked questions

Do I really need to escape >?
Not strictly — only & and < are required inside text. But escaping > for symmetry is conventional.
What's the difference between &#39; and &apos;?
Both represent a single quote. &apos; is not part of HTML4 (only HTML5 and XML), so the numeric form &#39; is more portable.
Does the tool encode characters inside script or style tags?
No — and you generally shouldn't HTML-escape JavaScript or CSS inside <script> or <style>. Those contexts have their own escaping rules.
Can the decoder handle non-standard entities?
The decoder uses the browser's HTML parser, which accepts all 2,231 named entities defined in the WHATWG HTML standard.
Is this safe to use on untrusted input?
For encoding, yes. For decoding, be careful: a malicious string could decode to HTML that, if inserted into the DOM, executes scripts. Decode for display purposes only.

Related tools

URL encoder / decoderPercent-encode and decode URLs. Base64 encoder / decoderEncode and decode text to Base64. JSON formatterPretty-print, minify, and validate JSON. URL slug generatorConvert any title into a clean URL slug.