HTML Entity Encoder

Encode and decode HTML entities online. Convert special characters to HTML-safe strings.

About HTML Entities

HTML entities are special codes used to display reserved characters in HTML. For example, < becomes &lt; and & becomes &amp;. This tool encodes and decodes these entities.

Video Tutorial

2:25

Video coming soon — full transcript available below

Chapters

Full transcript searchable
0:00

Why HTML entity encoding prevents XSS attacks

Welcome to this HTML Entity Encoder tutorial. When you display user-provided content in an HTML page, special characters can break your HTML structure or allow malicious script injection — this is called Cross-Site Scripting or XSS. The characters that must be encoded are: angle brackets less-than and greater-than (used for HTML tags), the ampersand (used for entities), double quotes and single quotes (used in HTML attributes). Converting these to HTML entities makes them display as text instead of being interpreted as HTML markup.

0:28

Encode text with special characters

Open the HTML Entity Encoder on ToolPilot.dev. Paste text containing special characters — for example: a script tag with an alert, or a string with ampersands and quotes. Click Encode. The output shows the entity-encoded equivalent: less-than becomes &lt;, greater-than becomes &gt;, ampersand becomes &amp;. When this encoded string is rendered in a browser, it displays the literal characters rather than executing as HTML or JavaScript.

0:58

Decode HTML entities back to text

To decode entities back to readable text, paste HTML-encoded content and click Decode. This converts &lt; back to the less-than sign, &amp; back to ampersand, &quot; back to double quotes, and so on. This is useful when working with HTML stored in databases, reading API responses that return escaped HTML, or analyzing HTML source code where entities are used for special characters.

1:30

Named vs numeric entities

HTML entities come in two forms: named entities like &amp; &lt; &gt; &quot; and numeric entities using decimal or hexadecimal notation. Named entities are human-readable. Numeric entities work for any Unicode character — the copyright symbol can be written as &#169; in decimal or &#xA9; in hexadecimal. The encoder outputs both forms so you can choose which format to use in your templates.

1:55

Use case: safe HTML templates and CMS content

Server-side templating frameworks handle HTML encoding automatically when you use their escape functions. But there are cases where manual encoding is needed: generating HTML in shell scripts, inserting content into legacy systems without automatic escaping, creating email HTML templates, or writing CMS content that includes code examples with angle brackets. This tool encodes the content so it displays correctly.

2:15

Wrap-up

HTML entity encoding is a fundamental web security concept. The HTML Entity Encoder on ToolPilot.dev encodes and decodes entities instantly in your browser. For production applications, always use your framework's built-in escaping functions rather than manual encoding — Jinja2 auto-escapes by default, React's JSX escapes by default, and PHP's htmlspecialchars() handles the common cases. Visit ToolPilot.dev for this and 19 other free developer tools.

Transcript covers all 6 chapters (2:25 total).

Frequently Asked Questions

What is HTML entity encoding?
HTML entity encoding replaces special characters with their HTML entity equivalents. For example, < becomes &lt;, > becomes &gt;, and & becomes &amp;. This prevents browsers from interpreting the characters as HTML markup.
Why do I need to encode HTML entities?
HTML entity encoding is required to: display code samples in HTML without them being executed, safely render user-provided content, prevent XSS (cross-site scripting) attacks, and include special characters like © or ™ in HTML.
What are the most common HTML entities?
&amp; = &, &lt; = <, &gt; = >, &quot; = ", &apos; = ', &nbsp; = non-breaking space, &copy; = ©, &reg; = ®, &trade; = ™, &mdash; = —, &ndash; = –.
What is XSS and how does HTML encoding prevent it?
Cross-site scripting (XSS) occurs when user input containing HTML or JavaScript is rendered unescaped in a page. Encoding all user-provided HTML (< → &lt;) prevents injected scripts from executing in the browser.
What is the difference between HTML encoding and URL encoding?
HTML encoding converts characters to HTML entity references (&lt;, &amp;) for safe display in HTML documents. URL encoding uses % sequences (%3C, %26) for safe transmission in URLs. Use the URL Encoder at toolpilot.dev/tools/url-encoder/ for URL contexts.
Can I decode HTML entities back to characters?
Yes. The HTML Entity Encoder also decodes: paste your HTML with entities (e.g., &lt;h1&gt;Hello&lt;/h1&gt;) and click Decode to get the original characters (<h1>Hello</h1>).
How do I display HTML code in a blog post?
To display HTML code in a webpage, encode the HTML first so browsers treat it as text rather than markup. Wrap the encoded output in <pre><code> tags for proper display.
How do I encode HTML in Python?
Use html.escape(): from html import escape; escape('<script>alert(1)</script>') returns '&lt;script&gt;alert(1)&lt;/script&gt;'. Always escape user input before rendering in HTML templates.
How do I encode HTML in JavaScript?
Create a temporary element: function escapeHtml(str) { const el = document.createElement('div'); el.textContent = str; return el.innerHTML; } This uses the browser's own HTML encoding mechanism.

Code Examples

Ready-to-use implementations in popular programming languages. Copy, paste, and run.

Encode/Decode HTML Entities in JavaScript 
// Encode HTML entities (prevent XSS)
function encodeHTML(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

// Decode HTML entities
function decodeHTML(str) {
  const el = document.createElement('textarea');
  el.innerHTML = str;
  return el.value;
}

Related Workflow Guides

&amp; Escape HTML Special Characters for Safe Web Output 📧 Build HTML Emails: Embed Images → Encode HTML → Minify CSS ✍️ Prepare Content: Convert Case → Encode HTML → Encode URL ⚙️ HTML-Encode User Content in Automated Security Scanning Workflows

Compare with alternatives

Toolpilot vs HTMLEntities.org Toolpilot vs FreeFormatter.com HTML Encoder