HTML Entity Converter — Free Encoder & Decoder
Encode text to safe HTML entities or decode entity-laden HTML back to plain characters. Four encode modes (dangerous-five, named, numeric, all non-ASCII), decimal or hex output, full Unicode support. Free and 100% in your browser.
Try a Sample
Bidirectional in One Click
Encode plain text to entities, decode entities back to characters. Toggle direction without losing your input. No copy-paste round-tripping.
XSS-Safe Encoding
"Dangerous Five" mode encodes only `& < > " '` — the minimum-required set to safely embed user content in HTML body and attribute contexts. No data loss, no overzealous mangling.
Full Unicode
Surrogate-pair safe, emoji safe. Iteration is per code point (not per UTF-16 code unit), so `👋` encodes as a single `👋` entity, not as two broken halves.
100% Client-Side
Encoding, decoding, and entity-table lookup all run in your browser. User submissions, leaked credentials, or pre-sanitized payloads — none of it leaves your device.
HTML Entity Converter: encode and decode HTML entities online
An HTML entity converter turns characters a browser would read as markup (& < > " ') into safe entities, and reverses the process to decode <p>-style HTML back into plain text. Pick an encode mode — dangerous-five, named, numeric (decimal or hex), or all non-ASCII — or flip direction to decode named, decimal, and hex entities. It is free, surrogate-pair safe for emoji, and runs 100% in your browser.
How to convert HTML entities
- Pick a direction with the toggle: Encode → Entities for plain text, or Decode → Plain Text for entity-laden HTML.
- For encoding, choose a Mode: Dangerous Five Only, Named (with numeric fallback), Numeric (always), or All Non-ASCII.
- For numeric output, set the Numeric format to Decimal (
') or Hexadecimal ('). - Paste or type into the input box, or click a sample (XSS payload, Mixed Unicode, encoded source, Math + Greek). Output updates instantly.
- Use Copy to grab the result, the flip button to round-trip it through the other direction, or Clear to reset.
What are HTML entities and how do they work?
An HTML entity is a placeholder that represents a character the parser would otherwise treat as structure. Every entity starts with an ampersand and ends with a semicolon. There are three forms: named(©), decimal numeric (©), and hexadecimal numeric(©) — all three produce the same © character. The complete list of named references lives in the WHATWG HTML Standard, section 13.5, which defines roughly 2,231 names — far more than the ~150 common ones this tool curates.
Only five entities are strictly required. XML predefines exactly &, <, >, ", and ', and the trailing semicolon is mandatory. These are the characters that delimit markup, so leaving them literal lets a browser read injected <script> tags or attribute breaks as real HTML — the mechanism behind stored and reflected XSS. Numeric references work for every Unicode code point up to U+10FFFF, including emoji, which is why numeric mode never runs out of coverage.
"XML specifies five predefined entities:&,<,>,', and"."— List of XML and HTML character entity references
The five required HTML entities
| Character | Named Entity | Decimal | Hex | Why It's Required |
|---|---|---|---|---|
| & | & | & | & | Starts every other entity — must be encoded first |
| < | < | < | < | Starts a tag — un-encoded enables tag injection |
| > | > | > | > | Closes a tag — pairs with < for full injection |
| " | " | " | " | Breaks out of double-quoted attribute values |
| ' | ' | ' | ' | Breaks out of single-quoted attribute values |
Worked examples: input → output
Encode · dangerous-five mode
<script>alert("hi")</script> → <script>alert("hi")</script>
Encode · named mode
Crème Brûlée & €5.99 → Crème Brûlée & €5.99
Decode · mixed named + numeric input
<p>Hi & bye</p> © €19 → <p>Hi & bye</p> © €19
Edge case · emoji & unknown entity
Encoding a rocket emoji in numeric mode yields a single 🚀 (code point U+1F680), not two broken surrogate halves — because the encoder iterates with for...of. On decode, an unknown name like ¬areal; is left unchanged and flagged in the stats footer rather than silently dropped.
Where HTML entities fit: context-aware encoding
HTML entities solve the HTML context only. Each output context has its own escape rule, and using the wrong one leaves a hole:
| Output context | Correct escaping | Example |
|---|---|---|
| HTML body / attribute | HTML-encode the dangerous five (this tool) | <script> |
| URL path / query string | Percent-encode via the URL Encoder | %3Cscript%3E |
| JavaScript string literal | JSON-encode, then HTML-encode if inside markup | "<script>" |
| CSS property value | CSS-escape: backslash + hex code point | \3C script\3E |
The ' trap most converters ignore
In dangerous-five mode this tool maps the apostrophe to the named entity '. That is valid in HTML5 and XML, but ' was not defined in HTML 4 or XHTML 1.0 — so it can render literally as the text ' in old parsers like Internet Explorer 8. If your output must survive legacy environments, switch to Numeric mode, which emits the universally safe ' instead.
A second real limit: the curated named table holds ~150 entries, not the full ~2,231 in the spec. In Namedmode, any character without a curated name (most CJK text, rare symbols) automatically falls back to a numeric reference, so you never get a broken or missing entity — just a numeric one. On decode, names outside the table pass through untouched and are reported, never silently lost.
Runs 100% in your browser
Your data never leaves your device. Encoding, decoding, and the entity-table lookup all run locally in JavaScript — no uploads, nothing leaves your device — so user submissions, pre-sanitization payloads, or credentials you are auditing stay private. I tested all four encode modes against the built-in samples (an XSS payload, mixed Unicode with accents and the euro sign, a Math + Greek string, and a pre-encoded source), in both decimal and hex, plus emoji round-trips. Encoding then decoding the same input returns the original text every time.
Frequently asked questions
Is this HTML entity converter free?
Yes — 100% free with no signup and no usage cap. Everything runs in your browser, so it also works offline once the page loads.
What is the difference between named and numeric entities?
Named entities use a label (©); numeric entities use the Unicode code point in decimal (©) or hex (©). All three produce the same character. Named is readable but limited to ~2,231 names; numeric covers every Unicode character including emoji.
Does this handle emoji correctly?
Yes. The encoder iterates by code point, so an emoji like the rocket (U+1F680) becomes one 🚀 entity rather than two broken surrogate halves.
Does encoding the dangerous five fully prevent XSS?
It is the foundation, not the whole defence. JavaScript, URL, and CSS contexts need their own escaping, and rich text needs a vetted sanitizer such as DOMPurify. This tool handles the HTML body and attribute context correctly.
Related developer & web utilities
Percent-encode the URL context
HTML FormatterPretty-print your encoded HTML
HTML to JSXConvert markup for React
JavaScript MinifierShrink scripts for production
CSS MinifierCompress stylesheets fast
Base64 EncoderFor JSON / HTTP-header contexts
Meta Tag PreviewerPreview your <head> tags
Open Graph GeneratorBuild OG social tags
Favicon GeneratorCreate site icon assets
Markdown TOCGenerate a table of contents
Word CounterCount words and characters
Guide: Open Graph Meta TagsEscape entities in OG tags correctly
All ToolsBrowse the full Toolk hub
Last updated: June 2, 2026 · Runs 100% in your browser — no uploads, nothing leaves your device.
Need a different tool?
Browse all 89 free, in-browser tools — or tell us what we should build next.