HTML Encoder & Decoder
Escape the characters that have a special meaning in HTML — or decode entities back to plain text — without anything leaving your browser. Named, decimal or hex output.
Nothing saved yet. Your recent inputs appear here — stored only in this browser, never uploaded.
Your data never leaves your browser
This tool runs entirely in your browser. There is no upload endpoint on this page — your input is processed locally with native browser APIs, and nothing is sent to a server or logged. Open your browser's network panel and check: the only request is the page itself.
How it works
Three steps, no surprises
Paste your text
Drop in text, an HTML snippet, or a string full of entities. Auto mode works out whether you mean encode or decode.
Choose the style
When encoding, pick named (©), decimal (©) or hex, and optionally escape every non-ASCII character.
Copy, download or share
Copy the result, download it as a file, or grab a share link that carries your input in the URL — never on a server.
FAQ
HTML Encoder & Decoder questions, answered
What does HTML encoding (escaping) actually do?
It replaces characters that have a special meaning in HTML — chiefly &, <, >, " and ' — with their entity equivalents (&, <, >, " and '). The browser then shows those characters as plain text instead of trying to interpret them as markup. So if you want a page to literally display “<div>” rather than start a div element, you encode it first. Decoding is the reverse: it turns the entities back into the original characters.
When would I need to encode HTML entities?
Any time you want to show code or symbols as text rather than have the browser act on them — a tutorial that prints HTML tags, a code snippet inside a blog post, or a value you are inserting into an attribute. It is also essential when you place untrusted text (a name, a comment, a search term) into a page: encoding the special characters stops that text from being treated as markup. The numeric form is handy for emails and older systems that mangle accented or non-ASCII characters.
What is the difference between named, decimal and hex entities?
They are three ways of writing the same character. A named entity uses a readable label, such as © for ©. A decimal numeric entity uses the character’s code point in base 10, like ©. A hexadecimal one uses base 16, like ©. Browsers understand all three, so the choice is about readability and compatibility — names are clearest, while numeric forms work for every character even when no name exists.
Should I encode every non-ASCII character?
Usually not. A modern, UTF-8 page can show café, € or 😀 directly with no encoding at all, which keeps the source readable. Switch on “encode all non-ASCII” only when something downstream cannot be trusted with UTF-8 — for example an email template, a legacy CMS, or a system that strips accents. For everyday web pages, encoding just the five HTML-special characters is the right, minimal choice.
Is encoding enough to stop XSS?
Encoding the HTML-special characters is the core defence when you drop untrusted text into ordinary page content or into a quoted attribute value, and this tool produces exactly that. But it is not a complete answer on its own: text placed inside a URL, a piece of inline JavaScript, or a CSS block needs a different kind of escaping that matches that context. Treat this tool as the right first step for HTML context, not a one-size-fits-all security fix.
Is it safe to paste my content here?
Yes. The encoding and decoding both run entirely in your browser with plain JavaScript — nothing you type is sent anywhere, and you can confirm that in your browser’s network panel. The optional share link keeps your text in the URL itself rather than on a server, and the on-device history can be cleared at any time. Nothing leaves your machine.
Other free developer tools
Every one runs in your browser. No signup, no upload, no ads.
Need help with your website's SEO?
Book a free consultation with our London team.
Book a Free Consultation