Embedding untrusted user content in HTML — encode first to prevent XSS. Decoding scraped or copy-pasted markup that arrived with entities ( & , ' , “ ). Un-mangling templates that have been double-escaped accidentally. Preparing snippets for JSDoc, CDATA-free XML, or markdown code fences that need literal angle brackets.

Encoding is not sanitisation. Encoding makes text safe to display; if you also want to strip tags, you need an HTML sanitiser instead. Attributes vs body. Both contexts need the same five characters escaped, but JavaScript event handlers like onclick need additional escaping (which this tool doesn't do — keep untrusted data out of attributes). Decoder is permissive. Named entities ( “ ), decimal ( " ) and hex ( " ) all decode via the browser's parser, so it accepts anything a real browser would. Don't double-encode. Encoding an already-encoded value gives you & . Decode first if you see entities in your input.

HTML Encoder / Decoder

Escape HTML special characters or decode entities back. Useful for safely embedding user input or debugging encoded markup.

Mode Input

Output

Enter input above to see the result.

What is this for?

HTML reserves five characters with structural meaning — &, <, >, ", '. Putting any of those into a page as content requires escaping them as HTML entities so the browser doesn't interpret them as markup. This tool flips both directions: encode raw text into safe entities, or decode scraped HTML back to plain text.

When to use it

Embedding untrusted user content in HTML — encode first to prevent XSS.
Decoding scraped or copy-pasted markup that arrived with entities (&, ', “).
Un-mangling templates that have been double-escaped accidentally.
Preparing snippets for JSDoc, CDATA-free XML, or markdown code fences that need literal angle brackets.

Common gotchas

Encoding is not sanitisation. Encoding makes text safe to display; if you also want to strip tags, you need an HTML sanitiser instead.
Attributes vs body. Both contexts need the same five characters escaped, but JavaScript event handlers like onclick need additional escaping (which this tool doesn't do — keep untrusted data out of attributes).
Decoder is permissive. Named entities (“), decimal (") and hex (") all decode via the browser's parser, so it accepts anything a real browser would.
Don't double-encode. Encoding an already-encoded value gives you &amp;. Decode first if you see entities in your input.