Encode and decode HTML entities. Supports named entities (&), numeric (&), and hex (&) formats. Escape special characters for HTML.
Encode special characters into HTML entities or decode entities back to readable text. Handles named entities (&), numeric (&), and hex (&) formats.
Initializing in your browser…
Generate ultra-secure passwords with presets (Simple to Paranoid), strength analysis, entropy calculation, crack time estimation, password history, and bulk generation
Analyze password security with 10 criteria checks, entropy calculation, crack time estimation, character breakdown, warnings, and improvement suggestions
Generate realistic fake data for testing and development. Create names, usernames, emails, addresses, phone numbers, and more. Export to JSON or CSV format
You need to show a literal code snippet containing tags and quotes inside an HTML page without it being parsed as markup.
Raw text
<script>alert("Tom & Jerry")</script>Entity-encoded
<script>alert("Tom & Jerry")</script>
The five characters that break (or exploit) HTML, `< > & " '`, are replaced with their named entities so the browser renders them as text instead of executing or mis-parsing them. This is the exact transformation that prevents reflected XSS when untrusted text lands in markup; the tool also decodes in the other direction.
Encode special characters into HTML entities or decode entities back to readable text. Handles named entities (&), numeric (&), and hex (&) formats.
This is a two-way HTML entity tool with Encode and Decode modes. In Encode mode you pick one of three output formats - Named (&), Numeric decimal (&), or Hex (&, emitted uppercase via toString(16).toUpperCase()) - and regardless of which you choose, the five HTML-significant characters & < > " and ' are always encoded; in Named mode the apostrophe specifically uses '. A separate "Encode all special chars" checkbox widens the scope: when enabled it also encodes every character above code point 127 (anything non-ASCII) plus any character that has a named-entity mapping (which includes the regular space, since the table maps ' ' to ). When off, the tool deliberately leaves plain text alone and touches only those five markup-breaking characters, which is the minimum needed to safely drop a code sample into HTML element or attribute text without it being parsed as tags.
The Named format is backed by a fixed lookup table of about sixty entities - the markup characters, currency signs (¢ £ ¥ €), symbols (© ® ™ ° §), typographic dashes and quotes (– — ‘ ’ “ ” « »), arrows (← → ↑ ↓ ↔), card suits (♠ ♣ ♥ ♦), Greek letters (α π Σ Ω), and math operators (∞ ≠ ≤ ≥ ⊂ ∩ ∪). Because this set is finite, any character outside it falls back to a decimal numeric entity even in Named mode, so the named option never fails to encode - it just stops being human-readable once you leave the known list. Decoding runs in a fixed order: it first replaces every named entity from that table (via split/join), then resolves decimal &#nnn; entities, then hex &#xNN; entities with one regex each, so over-encoded or scraped text with mixed forms is unwound in a single pass.
Two real limitations follow from the implementation. First, encoding reads char.charCodeAt(0) inside a per-code-point loop, so it works on UTF-16 code units rather than full Unicode scalar values: an emoji or other astral character above U+FFFF is a surrogate pair, and only its first half is encoded - 😀 (true code point 128512) becomes � and cannot be reconstructed by decode, which uses String.fromCharCode. The tool is therefore reliable for the Basic Multilingual Plane but not for emoji. Second, this is HTML-context escaping only - it makes text safe inside HTML markup, but the same output is not sufficient to escape values placed into JavaScript string literals, URL query parameters, or CSS, each of which needs its own escaping scheme. Practical conveniences include a Swap button that feeds the output back as input and flips the mode, a stats line showing the character-count delta and percentage size increase when encoding grows the text, a Copy button, an Example loader, and full state (mode, format, encodeAll, and input) carried in the URL so a configured conversion can be shared as a link.
With Encode mode, Named format, and 'Encode all' off, input <div class="x">a & b</div> produces <div class="x">a & b</div> - only the markup-breaking characters are touched and spaces are left intact.
In Decode mode, <p>Café & co</p> is unwound to <p>Café & co</p>, resolving named entities first, then the decimal é for é.
Whenever you're inserting user-provided text into an HTML page. Encoding prevents XSS attacks and rendering issues from characters like <, >, and &.
Named entities like & are easier to read. Numeric entities like & work for any Unicode character, including those without a named form.
This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.