Free HTML Entity Encoder and Decoder
Escape text so it displays literally in HTML, or decode entities like & and — back to normal characters.
Frequently Asked Questions
Which characters must be escaped in HTML?
The essential five: & (as &), < (<), > (>), " ("), and ' ('). The first three prevent text from being parsed as markup; the quotes matter inside attribute values.
When would I encode non-ASCII characters too?
Mostly for legacy systems, email HTML, or files that might be saved without UTF-8 encoding. Modern UTF-8 pages can include é, —, or emoji directly — encoding them is optional insurance.
Does the decoder handle named and numeric entities?
Both. Named entities (—), decimal (—), and hexadecimal (—) all decode using the browser's own HTML parser — the same one that renders web pages.
Does escaping protect against XSS?
Escaping user input before inserting it into HTML is a core XSS defense — but context matters: attribute values, URLs, and JavaScript strings each need their own escaping rules. For URLs, see our URL encoder.