HTML Encoder & Decoder
Encode special characters to HTML entities or decode entities back to characters. Prevents XSS attacks and ensures proper rendering of special characters in web pages.
Common HTML Entities
- < → < (less than)
- > → > (greater than)
- & → & (ampersand)
- " → " (double quote)
- ' → ' (apostrophe)
- → non-breaking space
Why Encode HTML
- Security: Prevent XSS (Cross-Site Scripting) attacks
- Display: Show HTML code as text on a web page
- Compatibility: Ensure special characters render correctly
XSS Prevention
Always encode user input before displaying it in HTML. If a user submits <script>alert('hack')</script>, encoding converts it to harmless text that displays literally instead of executing.
What Does an HTML Encoder/Decoder Actually Do?
When a browser reads HTML, it interprets certain characters as markup instructions. The less-than sign < opens a tag. The ampersand & starts a named entity. If you want those characters to appear visually on a page without triggering browser behavior, you have to convert them into their escaped equivalents — <, &, and so on. An HTML encoder handles that conversion automatically, turning raw text into browser-safe markup. The decoder reverses the process, turning entity references back into readable characters.
This sounds simple, but the use cases branch out quickly. You might be building a code documentation site and need to display a raw <script> block as visible text. You might be debugging a form that stores HTML in a database and need to verify what actually got saved. You might be migrating content between a CMS and a static site generator. In all of these situations, manually escaping or unescaping hundreds of characters is error-prone — one missed ampersand breaks your entire page layout.
The Characters That Matter Most
Not every character in HTML needs encoding, but a predictable set of five causes the most problems in practice:
- < (less-than) — Encoded as
<. The single most common source of broken markup when pasting raw code into a webpage. - > (greater-than) — Encoded as
>. Less dangerous than<alone, but still needed for valid, cross-browser-safe output. - & (ampersand) — Encoded as
&. Especially tricky because it also appears inside other entity references, creating double-encoding bugs if you're not careful. - " (double quote) — Encoded as
". Critical inside attribute values wrapped in double quotes. - ' (single quote / apostrophe) — Encoded as
'or'. Matters most when attribute values are wrapped in single quotes.
Beyond these five, the encoder handles extended Unicode characters — for instance, the em dash — becomes —, and the copyright symbol becomes ©. Whether you need named entities or numeric character references (— vs —) depends on your target environment, and a good HTML encoder tool gives you the choice.
Frequently Asked Questions
When should I encode HTML versus using a CDATA section?
CDATA sections (written as <![CDATA[ ... ]]>) are a legitimate XML mechanism for marking character data that should not be parsed as markup. They work reliably in XHTML served as application/xhtml+xml. In standard HTML5 served as text/html, CDATA sections are treated as comments in most contexts and do not protect your content the way they would in XML. For HTML5 documents, entity encoding is the safer, more universally supported approach — and it is what an HTML encoder/decoder tool produces.
What is double-encoding, and how do I avoid it?
Double-encoding happens when already-encoded text gets run through an encoder a second time. For example, if < is encoded again, it becomes < — which a browser will display literally as < on screen instead of the intended <. This is a common bug in content pipelines where sanitization happens at multiple layers. The fix is to always decode first, verify the state of your content, then encode once. The HTML decoder side of the tool is precisely what you use to check whether input is already encoded before processing it again.
Does HTML encoding protect against XSS attacks?
Partially — and this distinction matters enormously for security work. Encoding user-supplied input before inserting it into HTML content (between tags) does block the most common reflected XSS vectors. If a user submits <script>alert(1)</script> and you encode it before rendering, the browser displays that text literally instead of executing it. However, encoding alone is not a complete XSS defense. Inserting encoded data into JavaScript contexts, CSS properties, or event handler attributes requires context-specific escaping rules that go beyond standard HTML entity encoding. Think of HTML encoding as one layer in a defense-in-depth strategy, not a single silver bullet.
Can the decoder handle numeric character references as well as named entities?
Yes. A well-built HTML decoder recognizes three forms: named entities like , decimal numeric references like  , and hexadecimal numeric references like  . All three are valid HTML and should decode to the same non-breaking space character. If a decoder only handles named entities, it will silently leave numeric references untouched — which creates partial decoding bugs that are hard to spot visually.
Why does my encoded output look different from what another tool produced?
Two valid encoders can produce different output for the same input character. One might encode the em dash as the named entity —; another might produce the decimal reference — or pass it through as the raw Unicode character (since modern HTML5 allows most Unicode codepoints directly). Neither output is wrong — they are functionally equivalent in a UTF-8 HTML5 document. The difference becomes meaningful in legacy environments with limited character set support, or when a downstream system performs its own string comparison instead of rendering the HTML.
What is the difference between HTML encoding and URL encoding?
They solve different problems for different contexts. URL encoding (also called percent-encoding) converts characters for safe transmission in a URL, turning a space into %20 and a forward slash into %2F. HTML encoding converts characters for safe rendering inside an HTML document. A common mistake is to URL-encode a string and then insert it directly into HTML without HTML-encoding it, or vice versa. When a character needs to appear in a URL that is also an HTML attribute value, both encodings apply — you URL-encode the query parameter value first, then HTML-encode the entire attribute value.
How do I handle bulk encoding for thousands of strings?
The online tool is ideal for spot-checking and one-off conversions, but for production pipelines processing large datasets you should use native library functions: htmlspecialchars() in PHP, Python's html.escape(), Java's StringEscapeUtils.escapeHtml4() from Apache Commons, or the escapeHtml utility in frameworks like Handlebars and Django's template engine. These are battle-tested, handle edge cases correctly, and run at memory speed without HTTP round-trips. The online encoder is best used to verify that your programmatic output matches expectations — paste a sample, compare, and confirm your code is escaping consistently.
A Practical Workflow: Displaying Code Samples on a Website
Suppose you are writing a tutorial that needs to show the following markup as visible, non-rendered text on a page:
<a href="https://example.com?ref=home&utm=organic" title="Visit">Click</a>
That string contains four characters that need encoding: two angle brackets (one open, one close), one ampersand in the URL, and the quotes around the attribute values if you are embedding this inside another attribute. Run the string through the HTML encoder and you get output that can be safely placed inside a <pre><code> block without any browser parsing interference. The encoder handles the & in the query string correctly, converting it to & so the browser renders a literal ampersand rather than treating it as the start of an entity reference.
When you later need to edit that example, paste the encoded version into the decoder to recover the clean, readable source — no manual find-and-replace required.
One Detail Most People Overlook
The non-breaking space character ( ) behaves differently from a regular space in HTML layout. When you paste text copied from a Word document or a PDF into an encoder, those invisible non-breaking spaces often travel with the content. After encoding, they appear as explicit entities, making them suddenly visible and easy to audit. This is one of the quieter diagnostic benefits of running pasted content through an HTML encoder — it surfaces hidden whitespace characters that would otherwise cause subtle layout and word-wrap anomalies in your published pages.