HTML Encoder/Decoder - Free Online Tool

Free online HTML Encoder/Decoder - Free Online Tool tool. No signup required.

Free & instant 100% client-side No signup needed

Common HTML Entities

<&lt;
>&gt;
&&amp;
"&quot;
'&#39;
/&#x2F;

Last updated

What is HTML Encoding?

HTML encoding converts special characters into HTML entities to prevent XSS (Cross-Site Scripting) attacks and display reserved HTML characters correctly. Characters like <, >, &, ", and ' have special meanings in HTML and must be encoded as <, >, &, ", and ' to be displayed as text rather than interpreted as HTML code. Our HTML encoder protects your web applications from injection attacks by sanitizing user input, and helps display code snippets, special characters, and symbols correctly on web pages. The tool supports both named entities ( ) and numeric entities ( ), with automatic detection of input format.

When to Encode vs Sanitize

All encoding and decoding happens in your browser. Your content is never sent to any server.

Why Use HTML Encoding?

Unencoded user input is the #1 cause of XSS attacks where hackers inject malicious scripts into web pages. HTML encoding prevents these attacks by converting dangerous characters into safe entities that browsers display as text, not code. It's essential for displaying user-generated content (comments, reviews, forum posts), showing code examples, rendering special characters (©, ®, €), and preventing HTML injection. Without proper encoding, attackers can steal cookies, hijack sessions, deface websites, and compromise user data. Modern web frameworks automatically encode output, but manual encoding is often needed for legacy systems, APIs, and special cases.

How to Use

  1. Paste your text or HTML code into the input field
  2. Click 'Encode HTML' to convert special characters to entities
  3. Copy the encoded text for safe display in HTML
  4. To decode, paste HTML entities and click 'Decode HTML'
  5. View the original text with special characters restored

Real-World Examples

Sanitize User Input

Input: <script>alert('XSS')</script>

Output: &lt;script&gt;alert('XSS')&lt;/script&gt;

Use Case: Prevent XSS attacks by encoding user-submitted content before displaying it on web pages.

Display Code Snippet

Input: <div class="container">Hello</div>

Output: &lt;div class=&quot;container&quot;&gt;Hello&lt;/div&gt;

Use Case: Show HTML code examples on documentation pages without the browser interpreting them as actual HTML.

Encode Special Characters

Input: Price: $100 & up

Output: Price: $100 &amp; up

Use Case: Display ampersands and other special characters correctly in HTML without breaking the page structure.

Frequently Asked Questions

What is HTML encoding?

HTML encoding converts special characters into HTML entities (e.g., < becomes <). This prevents browsers from interpreting characters as HTML code and protects against XSS attacks.

What characters need HTML encoding?

Always encode: < (<), > (>), & (&), " ("), ' ('). Also encode special symbols when needed: © (©), ® (®), € (€), non-breaking space ( ).

What's the difference between named and numeric entities?

Named entities use names ( , ©). Numeric entities use numbers ( , ©). Both work identically. Named entities are more readable; numeric entities support all Unicode characters.

How does HTML encoding prevent XSS?

XSS attacks inject malicious scripts like <script>. HTML encoding converts < to <, so browsers display the text instead of executing the script. This neutralizes the attack.

Should I encode all user input?

Yes! Always encode user input before displaying it in HTML. This includes comments, reviews, usernames, search queries, and any user-generated content. Never trust user input.

What's the difference between HTML encoding and URL encoding?

HTML encoding uses entities (<) for displaying text in HTML. URL encoding uses percent-encoding (%20) for transmitting data in URLs. Use the right encoding for the right context.

Can I encode entire HTML documents?

Yes, but only encode the content you want to display as text, not the HTML structure itself. Encoding an entire page would display the HTML code instead of rendering it.

How do I decode HTML entities?

Paste text with HTML entities into our decoder. It converts entities back to their original characters, making the text human-readable again.

Do I need to encode in JavaScript?

Yes! When inserting user content into HTML via JavaScript (innerHTML, insertAdjacentHTML), always encode it first. Use textContent instead of innerHTML when possible - it auto-encodes.

What frameworks automatically encode output?

React, Vue, Angular, and most modern frameworks automatically encode output by default. However, when using dangerouslySetInnerHTML or v-html, you must manually encode user content.

Examples

Example 1: Basic Character Encoding

Input text:
  <script>alert('XSS')</script>

HTML encoded output:
  &lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;

When rendered in a browser, this displays as literal text:
  <script>alert('XSS')</script>

Instead of executing as JavaScript — the attack is neutralized.

---

Essential HTML entity reference:
  <  →  &lt;
  >  →  &gt;
  &  →  &amp;
  "  →  &quot;
  '  →  &#39; or &apos;
  /  →  &#x2F; (recommended in some contexts)

Example 2: Preventing XSS in User-Generated Content

// ❌ VULNERABLE — never do this
app.get('/comment', (req, res) => {
  const userComment = req.query.text;
  res.send(`<p>${userComment}</p>`); // XSS vulnerability!
});

// Attacker URL:
// /comment?text=<script>document.cookie</script>

// ✅ SAFE — encode before inserting into HTML
function htmlEncode(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

app.get('/comment', (req, res) => {
  const userComment = htmlEncode(req.query.text);
  res.send(`<p>${userComment}</p>`); // Safe!
});

// Python equivalent:
import html
safe_comment = html.escape(user_comment)

// PHP:
$safe_comment = htmlspecialchars($user_comment, ENT_QUOTES, 'UTF-8');

Example 3: Encoding for HTML Attributes

// Attribute context requires encoding quotes
// to prevent breaking out of the attribute value

// ❌ VULNERABLE
const title = req.query.title; // User input: " onmouseover="alert(1)
const html = `<div title="${title}">...</div>`;
// Renders as: <div title="" onmouseover="alert(1)"> ← attribute injection!

// ✅ SAFE — encode quotes in attribute values
const safeTitle = title.replace(/"/g, '&quot;');
const html = `<div title="${safeTitle}">...</div>`;

// Even safer — use single quotes and encode both:
function encodeAttribute(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;');
}

// Example:
Input:  She said "hello" & he said 'goodbye'
Output: She said &quot;hello&quot; &amp; he said &#39;goodbye&#39;

Frequently Asked Questions

Yes, our Html Encoder is completely free with no registration required. Use it unlimited times without any restrictions.

Yes, all processing happens locally in your browser. Your data never leaves your device and is not stored on our servers.

No installation needed. The tool works directly in your web browser on any device.

Enter your input, click the action button, and get instant results. Copy the output for use in your projects.