ToolSnap

HTML Encoder / Decoder

Encode special characters to HTML entities or decode entities back to plain text.

Encoded output

Related Tools

JSON Formatter Base64 Encode / Decode URL Encoder / Decoder

What are HTML Entities?

HTML entities are special codes used to represent characters that have meaning in HTML syntax or that cannot be typed directly. For example, the less-than sign (<) is written as &lt; in HTML source code, because a bare < would be interpreted as the start of an HTML tag.

Entities can be written as named references (like &amp; for &), decimal numeric references (like &#38;), or hexadecimal numeric references (like &#x26;). Browsers understand all three forms.

How to Use This Tool

  1. Select Encode to convert special characters to HTML entities, or Decode to convert entities back to plain text.
  2. Paste your text into the left box — the result appears instantly on the right.
  3. Click Use output as input to flip the result back and switch modes for round-trip testing.
  4. Click Copy output to copy the result to your clipboard.

Which Characters Get Encoded?

This tool encodes characters that are special in HTML or commonly represented as entities:

  • Essential: &, <, >, ", ' — these must be encoded to prevent HTML injection and broken markup.
  • Symbols: ©, ®, ™, €, £, ¥, °, ±, ×, ÷, and common fractions.
  • Typography: em dash (—), en dash (–), ellipsis (…), non-breaking space.

Common Use Cases

  • Displaying code in HTML — When showing HTML source code in a web page, all <, >, and & characters must be encoded so they display as text rather than being parsed as markup.
  • Preventing XSS attacks — Encoding user-supplied input before inserting it into HTML is a critical defence against Cross-Site Scripting (XSS) attacks.
  • Email templates — Many email clients require HTML entities for special characters to display correctly across different email clients.
  • CMS and rich text editors — Content management systems often store content with HTML entities and need to decode them for display or editing.

Frequently Asked Questions

What is the difference between &amp;, &#38;, and &#x26;?

All three represent the ampersand character (&). &amp; is the named entity. &#38; is the decimal numeric entity (38 is the Unicode code point for & in base 10). &#x26; is the hexadecimal numeric entity (26 in hex = 38 in decimal). All are valid HTML and decoded identically by browsers.

Does encoding protect against SQL injection?

No. HTML encoding only protects against HTML injection and XSS. SQL injection requires parameterised queries or prepared statements at the database layer — HTML encoding has no effect on SQL.

Does it work offline?

Yes. All encoding and decoding happens locally in your browser. The decode function uses the browser's built-in HTML parser (textarea.innerHTML) for accurate and complete entity decoding. No network requests are made.