DevBolt
Processed in your browser. Your data never leaves your device.

How do I encode or decode HTML entities online?

Paste text containing special characters like <, >, &, or " and click Encode to convert them to HTML entities (&lt;, &gt;, &amp;). Paste encoded text and click Decode to restore the original characters. The tool handles all named and numeric HTML entities. Everything runs in your browser.

Encode special HTML characters
Input
<div class="alert">Price: $5 & up</div>
Output
&lt;div class=&quot;alert&quot;&gt;Price: $5 &amp; up&lt;/div&gt;
← Back to tools

HTML Entity Encoder & Decoder

Encode special characters as HTML entities or decode entities back to text. Fast, private, and free.

Encode mode:
Only encodes & < > " ' (safe for HTML content)

Common HTML Entities

CharacterNamedNumericDescription
&&amp;&#38;Ampersand
<&lt;&#60;Less than
>&gt;&#62;Greater than
"&quot;&#34;Double quote
'&apos;&#39;Single quote
&nbsp;&#160;Non-breaking space
©&copy;&#169;Copyright
®&reg;&#174;Registered trademark
&trade;&#8482;Trademark
&euro;&#8364;Euro sign
£&pound;&#163;Pound sign
&mdash;&#8212;Em dash
&ndash;&#8211;En dash
&hellip;&#8230;Ellipsis
°&deg;&#176;Degree
×&times;&#215;Multiply
÷&divide;&#247;Divide
&rarr;&#8594;Right arrow

Quick Reference

Minimal mode encodes only the 5 characters that are special in HTML/XML: & < > " '. Use this when your text contains HTML tags or attributes.

All Characters mode also encodes every non-ASCII character (accented letters, symbols, emoji) using named entities where available, or numeric codes. Use this when you need pure ASCII output.

Decoding recognizes named entities (&amp;), decimal codes (&#169;), and hex codes (&#xA9;).

Tips & Best Practices

Security Note

HTML entity encoding prevents XSS attacks

Converting < to &lt; and > to &gt; in user-generated content prevents browsers from interpreting it as HTML. This is the fundamental defense against Cross-Site Scripting (XSS). Also encode & (to &amp;), " (to &quot;), and ' (to &#x27;). Modern frameworks like React do this automatically in JSX expressions.

Common Pitfall

Double encoding produces visible &amp;amp; in output

If your template engine already escapes HTML and you manually encode before passing data, users see literal &amp;lt; instead of <. This happens frequently when switching between raw HTML and framework templates. Encode exactly once, at the output layer closest to the browser.

Pro Tip

Use numeric entities for special characters in email HTML

Email clients have inconsistent HTML entity support. Named entities like &mdash; may not render in all clients (especially Outlook). Numeric entities (&#8212; for em dash, &#169; for copyright) have broader support. For maximum compatibility, use UTF-8 encoding and avoid entities entirely where possible.

Real-World Example

The 5 mandatory HTML entities you must always encode

In HTML content: &lt; (<), &gt; (>), &amp; (&). In HTML attributes: add &quot; (") and &#x27; ('). These 5 characters have special meaning in HTML — failing to encode them in user input creates either broken markup or security vulnerabilities. Everything else can be left as UTF-8.

Frequently Asked Questions

What are HTML entities and when should I use them?
HTML entities represent special characters using a named or numeric code — &amp; for &, &lt; for <, &gt; for >, &quot; for ", and &#39; for '. You must use entities when displaying characters that have special meaning in HTML. The < and > characters would be interpreted as HTML tags, & starts an entity reference, and quotes can break attribute values. Entities are also used for characters not available on your keyboard, like &copy; (©), &mdash; (—), &euro; (€), and Unicode symbols. DevBolt's encoder handles both named entities and numeric codes.
What is the difference between HTML encoding and URL encoding?
HTML encoding converts characters to HTML entities for safe display in web pages. A less-than sign becomes &lt; so browsers render it as text instead of interpreting it as a tag. URL encoding (percent-encoding) converts characters to percent-hex codes for safe transmission in URLs. A space becomes %20 so it is not misread as a URL delimiter. HTML encoding protects against XSS (cross-site scripting) attacks in page content. URL encoding ensures data passes through URL parsing correctly. They serve different purposes and are not interchangeable — use HTML encoding in HTML content and URL encoding in URLs.
How do I prevent XSS attacks with HTML encoding?
Always HTML-encode user-provided content before inserting it into HTML pages. This converts < to &lt;, > to &gt;, & to &amp;, " to &quot;, and ' to &#39;, preventing injected scripts from executing. In React, JSX automatically escapes values in curly braces. In server-rendered HTML, use your framework's built-in escaping (htmlspecialchars in PHP, html.escape in Python, ERB's h helper in Rails). Never use innerHTML or dangerouslySetInnerHTML with unsanitized user input. For rich text, use a sanitization library like DOMPurify that allows safe HTML tags while stripping dangerous elements.

Related Convert Tools

XML

JSON ↔ XML Converter

Convert JSON to XML and XML to JSON instantly — handles nested objects, arrays, attributes, CDATA sections, and XML declarations

px→

CSS Unit Converter

Convert between px, rem, em, pt, vw, vh, and % — single values or batch-convert entire CSS files with configurable base font size

B64

Base64 Codec

Encode and decode Base64 strings with Unicode support

CLR

Color Converter

Convert colors between HEX, RGB, and HSL formats