Free HTML Entity Encoder and Decoder

Escape text so it displays literally in HTML, or decode entities like & and — back to normal characters.

Frequently Asked Questions

Which characters must be escaped in HTML?

The essential five: & (as &amp;), < (&lt;), > (&gt;), " (&quot;), and ' (&#39;). The first three prevent text from being parsed as markup; the quotes matter inside attribute values.

When would I encode non-ASCII characters too?

Mostly for legacy systems, email HTML, or files that might be saved without UTF-8 encoding. Modern UTF-8 pages can include é, —, or emoji directly — encoding them is optional insurance.

Does the decoder handle named and numeric entities?

Both. Named entities (&mdash;), decimal (&#8212;), and hexadecimal (&#x2014;) all decode using the browser's own HTML parser — the same one that renders web pages.

Does escaping protect against XSS?

Escaping user input before inserting it into HTML is a core XSS defense — but context matters: attribute values, URLs, and JavaScript strings each need their own escaping rules. For URLs, see our URL encoder.