HTML Encoder & Decoder

What this tool does

This tool converts text to and from HTML entities. Encode mode rewrites characters that have a special meaning in HTML — &, <, >, ", and ' — as entities such as &, <, and >, so a browser displays them literally instead of treating them as markup. Decode mode does the reverse: it turns &, é, é, and every other named or numeric entity back into the character it represents. An optional setting in Encode mode also converts every non-ASCII character — accented letters, currency symbols, emoji — into a numeric &#NNNN; entity, which is handy when a file or transport must stay strictly ASCII.

Why you might need it

The moment you put user-supplied or dynamic text into an HTML page, encoding matters. If someone’s name contains a <, or a comment includes the word AT&T, dropping that text into the page raw will either break the layout or, worse, let injected markup run. Encoding neutralises it. You also need it the other way around constantly: API responses, scraped pages, exported CSVs, and email bodies are full of & and ' sequences that need to be turned back into readable text before you can use them. Doing it by hand is slow and error-prone — a single missed & produces wrong output.

How to use it

1. Choose Encode or Decode with the segmented control at the top.
2. Paste your text into the left-hand box.
3. In Encode mode, optionally tick Also encode all non-ASCII characters if you need pure-ASCII output.
4. Read the result in the right-hand box — it updates live as you type.
5. Click Copy output to copy the result to your clipboard.

Use Load sample if you want a quick example to see the behaviour, and Clear to empty both boxes.

Common pitfalls

The most common mistake is encoding the same text twice. If you run already encoded text through Encode again, every & in & becomes & and the output is wrong. Encode a value once, at the moment you insert it into HTML. Another trap is assuming you only need to escape < and >. Inside an attribute value, an unescaped " or ' can terminate the attribute early — that is why this tool escapes all five reserved characters by default.

When decoding, remember that a malformed entity is left as-is. A stray & that is not part of a real entity stays a literal &, which matches how browsers behave. If your output still shows &, the input was probably double-encoded at the source.

Tips and advanced use

For data that must travel through an ASCII-only channel — some legacy email systems, certain config formats, or strict XML pipelines — turn on the non-ASCII option so accented and symbol characters become numeric entities that survive the trip. The decoder accepts decimal (é) and hexadecimal (é) numeric forms as well as named entities, so you can paste output from almost any source and get clean text back.

Because everything runs locally in your browser, it is perfectly safe to encode or decode text that contains internal identifiers, tokens, or customer content — none of it leaves your device. Note that HTML encoding is about display correctness, not security on its own: it stops text from being parsed as markup, but it is not encryption and should be paired with proper context-aware escaping wherever untrusted input is used.