HTML Entity Encoder / Decoder
Encode HTML syntax characters or decode current named and numeric character references entirely in the browser.
Privacy: your files never leave your device. All processing happens locally in your browser.
How to use
- 1.Choose Encode characters or Decode references and select an encoding mode when applicable.
- 2.Paste the source text and select the conversion button.
- 3.Inspect reserved characters and copy the output only into an appropriate context-aware HTML workflow.
About HTML Entity Encoder / Decoder
HTML Entity Encoder / Decoder converts between literal characters and HTML character references without uploading text. In encode mode, it protects the characters that participate in HTML syntax. In decode mode, it uses the browser’s current HTML parser to resolve named, decimal, and hexadecimal references into their Unicode characters.
The basic encoding mode replaces ampersand, less-than, greater-than, double quote, and apostrophe. Ampersand becomes &, less-than becomes <, greater-than becomes >, double quote becomes ", and apostrophe becomes the decimal reference '. Encoding ampersand first prevents a newly created reference from being encoded a second time within the same operation.
The non-ASCII mode performs the same syntax protection and additionally writes every code point above ASCII 126 as an uppercase hexadecimal numeric reference. The encoder iterates Unicode code points rather than UTF-16 code units, so an emoji such as 😀 becomes one 😀 reference rather than two invalid surrogate references. Ordinary ASCII letters, numbers, spaces, tabs, and line breaks remain readable.
Decode mode is broader than the small encode table. The WHATWG HTML Living Standard defines the complete current named character reference table, including legacy aliases and references that map to more than one code point. A detached textarea element asks the browser’s HTML parser to apply that table. No decoded content is inserted into the visible page or executed as markup; the resulting value is placed in a plain read-only text area.
Eight external golden fixtures cover ampersand, less-than, greater-than, double quote, apostrophe, non-breaking space, copyright, and a hexadecimal emoji reference. Additional tests prove that basic encoding protects a sample element without changing literal copyright or emoji characters, while non-ASCII mode converts both of those code points.
Character references are context sensitive. Encoding text for an HTML text node is not the same as safely constructing a URL, JavaScript string, CSS value, SQL query, or HTTP header. This tool offers general HTML syntax escaping and reference decoding; it is not a substitute for framework auto-escaping, a trusted templating engine, a sanitizer, or a Content Security Policy.
Decoding can reveal markup-looking text. For example, <script> becomes the literal characters <script>. The tool does not execute that string, but copying it into an unsafe innerHTML sink could create a vulnerability. Treat decoded output as untrusted data and use context-aware escaping at the final output boundary.
The encoder intentionally does not replace every printable character with a named entity. Modern UTF-8 HTML can contain Unicode directly, and MDN recommends avoiding unnecessary references. Use basic mode for readable source and non-ASCII mode only when a numeric-reference representation is genuinely required by a legacy workflow, transport, teaching example, or comparison task.
Input is limited to 500,000 JavaScript characters to keep work bounded. The browser may preserve or normalize some legacy parsing details according to the HTML standard it implements. If a downstream system uses XML rather than HTML, remember that XML has a much smaller predefined entity set and different parsing rules.
For reliable use, choose the operation first, paste a small representative sample, run the conversion, and inspect ampersands and angle brackets before processing a larger block. Copy the result only after confirming the receiving context. The page does not save history, fetch a remote table, or transmit the input.
Methodology & sources
Bound input at 500,000 characters. Encode ampersand, angle brackets, quotes, and apostrophes with fixed HTML-safe references; optionally iterate Unicode code points and encode values above ASCII 126 as uppercase hexadecimal numeric references. Decode through a detached browser textarea so the active WHATWG named and numeric reference parser supplies the full table. Return plain text only and disclose that escaping is context-specific, not sanitization.
Frequently asked questions
- Does decode mode support named references such as ©?
- Yes. It delegates the current full HTML named-reference table to the browser parser.
- Does encoding sanitize dangerous HTML?
- No. It escapes common syntax characters in a string but does not sanitize a document or make arbitrary insertion contexts safe.
- Why are non-ASCII characters optional?
- UTF-8 HTML can normally contain them directly; numeric references are useful only for specific workflows.
- Can decoded output become markup?
- It can contain markup-looking characters, so treat it as untrusted text and never place it into an unsafe HTML sink.
Related tools
- URL DecoderPercent-encode or decode URLs and query values instantly in your browser — Unicode-safe, with clear errors on malformed input, and nothing uploaded.
- Base64 Encode / DecodeEncode or decode Base64 instantly with full UTF-8 support — emoji and accents work, all in your browser.
- ASCII ConverterConvert standard 7-bit ASCII text to decimal codes or decode decimal codes back to exact ASCII characters locally.
- Hex to Text ConverterParse hexadecimal bytes with explicit separator and 0x-prefix rules, then decode only complete valid UTF-8 without silent replacement.
- Base32 Encode / DecodeEncode UTF-8 text to canonical RFC 4648 Base32 or decode padded and unpadded Base32 back to strict UTF-8.
- Binary To TextConvert text to binary and binary back to text instantly, with full Unicode (UTF-8) support and everything running locally in your browser.