HTML Entities Encode/Decode
Escape special HTML characters to display them safely and prevent XSS attacks.
What it's for
Escape HTML safely
Named and numeric
Encode to named entities (<) or numeric (<). Decodes both types automatically.
100% private
Processing happens in your browser. Your code or content is never sent to any server.
Prevents XSS
Escapes the 5 critical characters (<, >, &, ", ') that are the primary cause of XSS vulnerabilities.
Instant
Results appear as you type. No buttons, no waiting.
How it works
Three steps, no hassle
Paste the text to encode or decode
Enter text with special characters (<, >, &, ", ') to encode, or text with HTML entities (<, &) to decode back to plain text.
Choose the mode
Select 'Encode' to escape special characters to HTML entities, or 'Decode' to convert HTML entities back to plain text.
Copy the result
Get the processed text ready to insert into your HTML, template, or database. One click to copy to clipboard.
FAQ
Got questions?
HTML entities are sequences of characters that represent special characters in HTML. They start with & (ampersand) and end with ; (semicolon). There are two types: named entities like & (for &), < (for <), > (for >), and " (for "), and numeric entities in decimal (< for <) or hexadecimal (< for <). The HTML5 standard defines more than 2,000 named entities for Unicode characters.
HTML uses certain characters as part of its syntax: < starts a tag, > closes it, & starts an entity, and " delimits attributes. If you include these characters directly in HTML content without escaping, the browser interprets them as syntax rather than text, breaking the markup. For example, to display the text '<b>hello</b>' literally (with the tags visible), you must write '<b>hello</b>' in the HTML.
& represents the ampersand (&). < represents the less-than sign (<). > represents the greater-than sign (>). " represents the double quote ("). ' represents the apostrophe ('). represents the non-breaking space. © represents the copyright symbol (©). ® represents the registered trademark symbol (®). € represents the euro symbol (€). These nine cover the vast majority of everyday use cases.
Named entities (&, <, ©) are more human-readable but require the browser to know the name. They are defined in the HTML specification and each version expands the list. Decimal numeric entities (& for &) and hexadecimal (& for &) work for any Unicode character without relying on a name. Strict XML parsers only recognize 5 predefined named entities (&, <, >, ", ') and require numeric entities for all others.
XSS (Cross-Site Scripting) occurs when an attacker injects JavaScript code into a web page through unsanitized data. For example, if an application displays a username without escaping and the attacker uses the name '<script>stealCookies()</script>', that script would execute. If the name is escaped with HTML entities, it is displayed as '<script>stealCookies()</script>' as inert text. HTML entity escaping at the presentation layer is the primary defense against reflected and stored XSS in web applications.
HTML entities: the fundamental defense against XSS in web applications
HTML entities have been a fundamental part of the HTML specification since its earliest versions. The HTML5 standard (WHATWG Living Standard) defines 2,231 named entities, from the basic ones (&, <, >) to mathematical characters, currency symbols, and Greek letters. Their original purpose was to allow special characters to be included in HTML documents without ambiguity with the markup language syntax. Over time, their importance in web security has become equally critical.
XSS (Cross-Site Scripting) is consistently one of the most prevalent vulnerabilities in web applications, appearing year after year in the OWASP Top 10. A successful XSS attack can steal session cookies, perform actions on behalf of the user, redirect to phishing sites, or inject keyloggers. Correct HTML entity escaping at the presentation layer is the most effective countermeasure against reflected and stored XSS. Modern frameworks like React, Angular, and Vue.js apply this escaping automatically when rendering variables in templates.
For developers working with HTML templates, email generation, CMSs, or any system that renders user-supplied content, correct HTML entity escaping is not optional — it is a fundamental security practice. Convertir.ai offers this tool running entirely in the browser, ideal for verifying the escaping of code snippets, preparing content for insertion into HTML, or converting entities back to text for further processing.