Skip to main content
L
Loopaloo
Buy Us a Coffee
All ToolsImage ProcessingAudio ProcessingVideo ProcessingDocument & TextPDF ToolsCSV & Data AnalysisConverters & EncodersWeb ToolsMath & ScienceGames
Guides & BlogAboutContact
Buy Us a Coffee
L
Loopaloo

Free online tools for developers, designers, and content creators. All processing happens entirely in your browser - your files never leave your device. No uploads, no accounts, complete privacy.

support@loopaloo.com

Tool Categories

  • Image Tools
  • Audio Tools
  • Video Tools
  • Document & Text
  • PDF Tools
  • CSV & Data
  • Converters
  • Web Tools
  • Math & Science
  • Games

Company

  • About Us
  • Contact
  • Blog
  • FAQ

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

Support

Buy Us a Coffee

© 2026 Loopaloo. All rights reserved. Built with privacy in mind.

Privacy|Terms|Disclaimer
  1. Home
  2. Web Tools
  3. HTML Entity Encoder/Decoder
Add to favorites

HTML Entity Encoder/Decoder

Encode and decode HTML entities. Supports named entities (&), numeric (&), and hex (&) formats. Escape special characters for HTML.

Encode special characters into HTML entities or decode entities back to readable text. Handles named entities (&), numeric (&), and hex (&) formats.

Runs locally in your browserMore web toolsJump to full guide

Related reading

  • HTML Entities and Special Characters: A Complete Reference for Web Developers14 min read

Initializing in your browser…

You might also like

Password Generator

Generate ultra-secure passwords with presets (Simple to Paranoid), strength analysis, entropy calculation, crack time estimation, password history, and bulk generation

Password Strength Checker

Analyze password security with 10 criteria checks, entropy calculation, crack time estimation, character breakdown, warnings, and improvement suggestions

Mock Data Generator

Generate realistic fake data for testing and development. Create names, usernames, emails, addresses, phone numbers, and more. Export to JSON or CSV format

HTML Entity Encoder/Decoder: a worked example

You need to show a literal code snippet containing tags and quotes inside an HTML page without it being parsed as markup.

Raw text

<script>alert("Tom & Jerry")</script>
HTML Entity Encoder/Decoder produces

Entity-encoded

&lt;script&gt;alert(&quot;Tom &amp; Jerry&quot;)&lt;/script&gt;

The five characters that break (or exploit) HTML, `< > & " '`, are replaced with their named entities so the browser renders them as text instead of executing or mis-parsing them. This is the exact transformation that prevents reflected XSS when untrusted text lands in markup; the tool also decodes in the other direction.

About the HTML Entity Encoder/Decoder

Encode special characters into HTML entities or decode entities back to readable text. Handles named entities (&amp;), numeric (&#38;), and hex (&#x26;) formats.

How to use

  1. 1Paste text or HTML into the input.
  2. 2Choose encode or decode mode.
  3. 3Copy the result.

How it works

This is a two-way HTML entity tool with Encode and Decode modes. In Encode mode you pick one of three output formats - Named (&amp;), Numeric decimal (&#38;), or Hex (&#x26;, emitted uppercase via toString(16).toUpperCase()) - and regardless of which you choose, the five HTML-significant characters & < > " and ' are always encoded; in Named mode the apostrophe specifically uses &apos;. A separate "Encode all special chars" checkbox widens the scope: when enabled it also encodes every character above code point 127 (anything non-ASCII) plus any character that has a named-entity mapping (which includes the regular space, since the table maps ' ' to &nbsp;). When off, the tool deliberately leaves plain text alone and touches only those five markup-breaking characters, which is the minimum needed to safely drop a code sample into HTML element or attribute text without it being parsed as tags.

The Named format is backed by a fixed lookup table of about sixty entities - the markup characters, currency signs (&cent; &pound; &yen; &euro;), symbols (&copy; &reg; &trade; &deg; &sect;), typographic dashes and quotes (&ndash; &mdash; &lsquo; &rsquo; &ldquo; &rdquo; &laquo; &raquo;), arrows (&larr; &rarr; &uarr; &darr; &harr;), card suits (&spades; &clubs; &hearts; &diams;), Greek letters (&alpha; &pi; &Sigma; &Omega;), and math operators (&infin; &ne; &le; &ge; &sub; &cap; &cup;). Because this set is finite, any character outside it falls back to a decimal numeric entity even in Named mode, so the named option never fails to encode - it just stops being human-readable once you leave the known list. Decoding runs in a fixed order: it first replaces every named entity from that table (via split/join), then resolves decimal &#nnn; entities, then hex &#xNN; entities with one regex each, so over-encoded or scraped text with mixed forms is unwound in a single pass.

Two real limitations follow from the implementation. First, encoding reads char.charCodeAt(0) inside a per-code-point loop, so it works on UTF-16 code units rather than full Unicode scalar values: an emoji or other astral character above U+FFFF is a surrogate pair, and only its first half is encoded - 😀 (true code point 128512) becomes &#55357; and cannot be reconstructed by decode, which uses String.fromCharCode. The tool is therefore reliable for the Basic Multilingual Plane but not for emoji. Second, this is HTML-context escaping only - it makes text safe inside HTML markup, but the same output is not sufficient to escape values placed into JavaScript string literals, URL query parameters, or CSS, each of which needs its own escaping scheme. Practical conveniences include a Swap button that feeds the output back as input and flips the mode, a stats line showing the character-count delta and percentage size increase when encoding grows the text, a Copy button, an Example loader, and full state (mode, format, encodeAll, and input) carried in the URL so a configured conversion can be shared as a link.

Examples

  • Safe minimal encoding for a code snippet

    With Encode mode, Named format, and 'Encode all' off, input <div class="x">a & b</div> produces &lt;div class=&quot;x&quot;&gt;a &amp; b&lt;/div&gt; - only the markup-breaking characters are touched and spaces are left intact.

  • Decoding over-encoded scraped text

    In Decode mode, &lt;p&gt;Caf&#233; &amp; co&lt;/p&gt; is unwound to <p>Café & co</p>, resolving named entities first, then the decimal &#233; for é.

Tips & best practices

  • Leave 'Encode all special chars' off when you just want to paste a code snippet into HTML - it encodes only & < > " and ', the minimum needed to stop the browser parsing your text as tags.
  • Use the Numeric or Hex format for characters outside the tool's named-entity table; Named mode silently falls back to decimal numeric for anything it doesn't recognize.
  • Don't rely on this output for emoji - characters above U+FFFF are encoded from their first UTF-16 surrogate (😀 becomes &#55357; instead of the true &#128512;) and won't decode back correctly.
  • Use the Swap button to verify a round trip: encode some text, swap, and confirm the decode returns your original.
  • HTML-entity output is not an XSS cure-all - it only escapes for HTML markup context, not for values you inject into JavaScript, URLs, or CSS.

Frequently asked questions

When do I need to encode HTML entities?

Whenever you're inserting user-provided text into an HTML page. Encoding prevents XSS attacks and rendering issues from characters like <, >, and &.

What's the difference between named and numeric entities?

Named entities like &amp; are easier to read. Numeric entities like &#38; work for any Unicode character, including those without a named form.

Further reading

  • HTML Entities and Special Characters: A Complete Reference for Web Developers14 min read

Private by design

This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.