Why escape HTML entities?

When you put user-supplied or dynamic text into an HTML page, characters like , &, and quotes can be interpreted as markup instead of text - that is the root of cross-site scripting (XSS). Escaping them to entities (< > & ") makes the browser render them as literal characters, not as tags. Escaping output is the single most important habit for safe HTML rendering.

What is the difference between named and numeric entities?

A named entity like © is human-readable; a numeric entity like © or © references the character by its Unicode code point. Both decode to the same character. This tool decodes either form, and on encode it escapes the five HTML-significant characters by name, with an option to encode all non-ASCII as numeric entities for maximum compatibility.

No. Encoding and decoding run entirely in your browser - nothing you type is sent anywhere. Decoding is done safely so that markup in the input is never executed.

Free tool · Runs in your browser · Nothing uploaded

HTML entity encode & decode.

Escape text to HTML entities so it renders as literal characters instead of markup — or decode entities (named or numeric) back to text. Two-way and live; the encode side is the core defense against XSS.

Text

Also encode non-ASCII (numeric)

HTML-encoded

Render it as text, not as code

The whole point of HTML escaping is to keep data from turning into markup. A stray <script> in a comment, a quote that closes an attribute early — these are how cross-site scripting happens, and the fix is to escape the handful of HTML-significant characters before the text reaches the page. Most frameworks do this for you, but the moment you build HTML by hand, you own it. Encode on the way out, decode when you need the original back.

Related free tools

Epoch / timestamp converterUnix timestamp both ways UUID generatorRandom v4 UUIDs Hash generatorSHA-256/512 of text Base64 encode / decodeEncode/decode Base64

All free tools →

Free tools for the backend you run.

One of a set of free developer tools from Infraveil — the control plane for running, securing, and watching your backend on servers you own. Browse the rest, no signup.

See all free tools

Get the backend toolkit

Practical tools and guides for shipping and running a backend you own. No spam.