Loading tool...
Generate ultra-secure passwords with presets (Simple to Paranoid), strength analysis, entropy calculation, crack time estimation, password history, and bulk generation
Analyze password security with 10 criteria checks, entropy calculation, crack time estimation, character breakdown, warnings, and improvement suggestions
Generate realistic fake data for testing and development. Create names, usernames, emails, addresses, phone numbers, and more. Export to JSON or CSV format
Encode and decode HTML entities with support for named, numeric, and hex formats to safely display special characters and prevent security vulnerabilities. HTML entities convert special characters that have meaning in HTML (like <, >, &) into safe representations that browsers display correctly without interpreting as HTML. This tool handles three entity formats: named entities using readable names (like & for &), numeric entities using character codes (& for &), and hexadecimal entities (& for &). Convert user-generated content to entities to prevent XSS attacks that exploit unencoded special characters. Decode entities received from external sources to see the actual content. Support for bulk encoding makes it easy to process multiple lines of text at once. Essential for web developers, content creators, and security-conscious developers preventing injection attacks.
Encode special characters when preparing HTML content to ensure they display correctly in browsers.
Encode user-generated content before inserting into HTML to prevent injection attacks.
Safely display characters that have special meaning in HTML like quotes, angle brackets, and ampersands.
Encode code examples and technical documentation for display on websites.
Prepare HTML emails by encoding special characters to ensure compatibility with email clients.
Decode entities from legacy systems or exported data to work with the actual character values.
HTML character encoding is fundamentally about the intersection of two systems: the HTML markup language, which uses specific characters as syntactic delimiters, and Unicode, the universal character encoding standard that assigns a unique code point to every character in every writing system. When these systems overlap, as they do with characters like < (less-than sign, used for HTML tags), > (greater-than sign, closing HTML tags), & (ampersand, starting entity references), and " (quotation mark, delimiting attribute values), the characters must be escaped to prevent the browser from interpreting them as markup rather than displaying them as text.
HTML entities provide three syntactic formats for representing characters. Named entities use mnemonic names defined in the HTML specification: < for <, > for >, & for &, " for ", and ' for ' (the apostrophe entity, not universally supported in HTML4 but standard in HTML5 and XML). The HTML5 specification defines over 2,000 named entities covering mathematical symbols, Greek letters, currency symbols, arrows, and many other characters. Numeric entities reference Unicode code points directly: < represents U+003C (less-than sign), while hexadecimal entities use the &#x prefix: < represents the same character. Numeric and hexadecimal entities can represent any Unicode code point, including characters that have no named entity.
The security implications of HTML encoding are profound, particularly for preventing Cross-Site Scripting (XSS) attacks. XSS occurs when an attacker injects executable code (typically JavaScript) into a web page that other users view. The most common vector is inserting a script tag through user-generated content: if a comment field accepts "<script>alert('XSS')</script>" and displays it without encoding, the browser executes the script in the context of the page, potentially stealing session cookies, modifying page content, or redirecting users. Encoding the < and > characters as < and > neutralizes this attack because the browser displays the literal text instead of interpreting it as HTML tags.
Encoding strategy depends on the output context. In HTML body content, encoding the five critical characters (<, >, &, ", ') is sufficient. In HTML attribute values, additional characters may need encoding depending on the quoting style. In JavaScript contexts, HTML encoding alone is insufficient because the browser first interprets the JavaScript string before rendering any HTML entities. In URL contexts, percent-encoding (URL encoding) is required instead of HTML encoding. The OWASP (Open Web Application Security Project) recommends context-aware output encoding as the primary defense against XSS, where the encoding function used matches the output context. Server-side frameworks and templating engines increasingly provide automatic encoding by default, treating all dynamic content as untrusted and encoding it appropriately for the output context.
Named entities use readable names like & for &. Numeric entities use character codes like &. Named entities are easier to read in source code, while numeric entities cover all Unicode characters.
Encode whenever displaying user-generated content, special characters in HTML, or characters that could be interpreted as HTML tags. This prevents XSS attacks and ensures characters display correctly.
The five characters that must always be encoded are: < (<), > (>), & (&), " ("), and ' ('). Other special characters should be encoded if they are not part of your document encoding.
Yes, switch to decode mode to convert HTML entities back to their original characters. This works with named, numeric, and hex entity formats, handling mixed formats in a single input.
All processing happens directly in your browser. Your files never leave your device and are never uploaded to any server.