HTML Encode/Decode

Encode special characters to HTML entities or decode them back.

Need to display characters like <, > or & in HTML without the browser treating them as code? This tool converts them to safe HTML entities and back. It is useful when you are showing user input, examples or code snippets on a web page.

The 5 Characters You Should Encode

These are the characters that cause problems in normal HTML when left unencoded:

  • < becomes &lt; so the browser does not read it as the start of a tag
  • > becomes &gt; so the browser does not treat it as the end of a tag
  • & becomes &amp; so it does not start a broken entity
  • " becomes &quot; inside double-quoted attributes
  • ' becomes &#39; inside single-quoted attributes

Why HTML Encoding Is a Security Issue

Without encoding, user input can turn into Cross-Site Scripting (XSS). For example, a comment might contain <script>alert("test")</script>. If you print that comment as real HTML, the browser may run it. HTML encoding turns the angle brackets into text, so the code is displayed instead of executed.

XSS is a common web security risk. Encoding on output is one of the basic habits that keeps user-generated text from becoming executable code.

Encoding on Output, Not Input

A common mistake is encoding data when you receive it and storing the encoded version. Don't do that. Store the raw data and encode it right before you render it in HTML. Why? Because the same data might be used in an API response, a mobile app or an email where HTML entities don't make sense. Encode at the last possible moment.

When HTML Encoding Isn't Enough

HTML encoding protects you inside normal HTML content. It is not enough if you put user data inside a <script> tag, a CSS style block, an event handler attribute or a URL. Each context needs its own type of escaping. Modern frameworks like React, Angular and Vue handle most normal text output automatically.

How to Use

  1. Paste your text or HTML entities into the input area.
  2. Click Encode to turn special characters into HTML entities.
  3. Click Decode to convert HTML entities back to normal characters.
  4. Copy the result.

Frequently Asked Questions

How do I use HTML Encode and Decode?

Paste text and choose encode to turn special characters into entities. Choose decode to turn entities back into readable text. This is useful when text must appear safely inside HTML.

When should I HTML-encode text?

Encode text when it needs to display as text inside HTML. This matters for characters like less-than, greater-than and ampersand. Encoding keeps those characters from being read as markup.

Is HTML encoding the same as sanitizing?

No. Encoding displays characters safely, while sanitizing removes unsafe HTML. They solve related but different problems. For user-generated HTML, sanitizing is usually still needed.

Why do I see `&amp;` in my text?

`&amp;` is the HTML entity for an ampersand. It appears when text has been encoded for HTML. Decode it once if you need the readable version.

Can decoding fix broken webpage text?

It can help when entities show up as raw text. Decode once, then check the result before saving it. If the text was encoded several times, you may need another pass.

Related Tools

URL Encode/Decode Base64 Encode/Decode HTML to Text Markdown to HTML