HTML Encoder/Decoder

HTML encoding — also called entity escaping — converts characters that have special meaning in HTML markup (<, >, &, ",') into their entity equivalents (<, >,&, ", '). The browser then renders them as the literal characters rather than interpreting them as HTML markup. This is the single most important defence against cross-site scripting (XSS) when you have user-supplied content that needs to appear on a page without being treated as code.

There are three common encoding levels. Minimal handles just the five unsafe characters — the bare minimum to prevent markup confusion. Modern web frameworks (React, Vue, Svelte, Angular, Django, Rails) all perform this level automatically on template output. Named entities adds friendly aliases for the common symbols — © for ©, ™ for ™,   for a non-breaking space. The result is human-readable and survives copy-paste between editors.Numeric (all non-ASCII) encodes every character above the basic ASCII range as a numeric reference like é. It is the safest choice when you do not know what encoding the consumer will use, because every character above 0x7F becomes an unambiguous decimal code point.

Decoding is the inverse — turning entities back into the characters they represent. The trick with decoding is that HTML has thousands of named entities, and rolling your own table is a maintenance burden. The tool uses the browser's own HTML parser: we create a hidden textarea, set its innerHTML to the encoded string, and read back thevalue. The browser handles every entity correctly, including rare ones like ¾ (¾) and decimal/hex numeric references (☃, ☃).

Developers reach for an HTML encoder in several scenarios. When a CMS exports content that will be embedded in an email template that treats angle brackets as markup. When a code tutorial needs to show HTML source without the browser rendering it. When pasting output from an older system that has already encoded the content and you need to reverse that. When preparing JavaScript string literals that contain HTML.

A common trap: HTML encoding is not a substitute for proper output escaping in dynamic code. React's JSX, Vue's templates, and Django's template language all encode variables automatically when you interpolate them into markup. Only use this tool for one-off conversions (content migrations, tutorials, debugging). In an app, rely on the framework's built-in escaping and never hand-encode strings yourself — the framework knows more about the context than you do.

1. Pick encode or decode. Tabs at the top flip the direction.
2. Choose encoding level. Minimal, named entities, or numeric for everything non-ASCII.
3. Paste the input. Raw HTML or text for encoding, entity-containing HTML for decoding.
4. Copy the output. The result is ready to paste into an email template, a tutorial, or a code file.
5. Swap and verify. Feed the output back in to confirm the conversion is reversible.

• Three encoding levels: minimal, named entities, full numeric.
• Decoder uses the browser's own parser — handles every named and numeric entity.
• Encodes emoji and non-Latin scripts correctly under the numeric option.
• Swap button to round-trip input and output.
• Runs entirely in your browser.