HTML Entity Encoder / Decoder

HTML entity encoding replaces special characters like <, >, &, " and ' with safe equivalents (<, >, &, ", ') so they render as literal text inside HTML instead of being parsed as markup. Paste text above to encode or decode in your browser — no upload, no signup.

Which characters must I encode in HTML?

Five at minimum: &, <, >, " and '. These are the structural characters that — left unescaped — can break the surrounding markup or open an XSS hole. Inside body text you always escape < and &; inside attribute values you always escape " and &. The other two are escaped by convention to keep the markup robust under rewriting.

For non-ASCII characters (©, →, é, emoji), modern UTF-8 HTML doesn’t require entity encoding at all. You only need it when emitting into something that may transcode the page — legacy email, RSS in mixed encodings, CMS fields that strip extended characters.

Named, decimal, or hex — which format should I use?

The encoder supports three output shapes:

• Named — ©, &, ™. The most readable and what code review expects to see in source.
• Decimal numeric — ©, &, ™. Works in every HTML version including HTML 4 and obscure email clients that don’t recognise extended named entities.
• Hex numeric — ©, &, ™. Preferred in JSON, CSP and XML attribute contexts where decimal can clash with other numerics.

All three are functionally equivalent in modern browsers. The “scope” toggle decides how aggressively to encode: Reserved only touches just the five structural characters; All non-ASCII also encodes every character above code point 127.

How does the decoder handle every variant?

The decoder accepts named entities (©), decimal numeric (©), hex numeric (©) and all 250+ HTML5 named entities. It uses the browser’s own HTML parser via DOMParser, so anything the browser would render correctly, this tool decodes correctly — including malformed input that real-world HTML often contains.

When should I NOT encode HTML entities?

You don’t need to encode for URLs — use percent encoding via URL Encoder/Decoder. You don’t encode for JSON values — use JSON.stringify. You don’t encode for shell arguments — use proper argument arrays. Picking the wrong encoding produces output that looks right but breaks downstream.

You also don’t need to manually encode when using a templating engine that escapes by default (React JSX, Vue, Svelte, Jinja2, ERB, Liquid). Belt-and-suspenders encoding causes double-encoding — & becomes & and shows up visibly in output.

A searchable reference for the entities you actually need

The table below the encoder covers reserved HTML, whitespace, common punctuation (em-dash, curly quotes, copyright, trademark), math symbols, currency, arrows, full Greek alphabet, accented Latin and common pictographs — 195 entities across 10 categories. Click any cell to copy. Search by name (copy), by character (©) or by code point (169 or A9).

Privacy

Everything runs in your browser via DOMParser and string operations — no network round trip, no server, no logging. The reference table is static data shipped with the page. Verify in DevTools → Network: encoding triggers zero requests.