</>

HTML Entity Encoder and Decoder

Escape HTML special characters such as &, <, >, quotes, and apostrophes so text is displayed safely. Decode named and numeric HTML entities back to plain text.

Runs in your browser ⚡ REST API available 🧩 Embeddable
Output
&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;

What are HTML entities?

Five characters are special in HTML: &, <, >, " and '. Escaping them prevents browsers from treating user input as markup, which is a core part of XSS defense.

The decoder also resolves common named entities (&copy;, &mdash;, …) and any numeric entity (&#x1F600;).

When to escape HTML

Escape HTML before showing untrusted text inside a webpage, template, email, or documentation example. Decode HTML entities when you need to turn copied source back into readable text.

This tool is for character escaping and decoding. It does not sanitize full HTML documents or validate whether markup is safe to render.

Use the API

Call the same encoder server-side or from another origin. CORS is open, no auth required for the free tier.

curl "https://encode-decode.org/api/v1/html\
?action=encode&input=%3Cb%3Ehi%3C%2Fb%3E"