ToolHarbor

HTML Encoder/Decoder

Encode special characters to HTML entities or decode entities back to text. Prevent XSS and display HTML safely.

Features

  • Encode special characters to HTML entities
  • Decode HTML entities back to readable text
  • Handles named, decimal, and hexadecimal entities
  • Prevents XSS by escaping dangerous characters
  • Swap between input and output instantly
  • Works offline — no server requests

How to Use

  1. 1Select "Encode" or "Decode" mode
  2. 2Paste or type your text in the input field
  3. 3The converted result appears instantly
  4. 4Copy the result using the Copy button
  5. 5Use Swap to quickly reverse the operation

Examples

Encoding HTML tags

Input

<div class="alert">Hello & welcome!</div>

Output

&lt;div class=&quot;alert&quot;&gt;Hello &amp; welcome!&lt;&#x2F;div&gt;
Encoding special characters

Input

5 > 3 && 2 < 4 | it's true

Output

5 &gt; 3 &amp;&amp; 2 &lt; 4 | it&#39;s true
Decoding entities

Input

&lt;p&gt;Hello &amp; welcome&lt;/p&gt;

Output

<p>Hello & welcome</p>

What Is HTML Encoding?

HTML encoding converts special characters into their corresponding HTML entities. Characters like <, >, &, and " have special meaning in HTML — they define tags, attributes, and entities. If you include these characters directly in your HTML, the browser will interpret them as markup instead of displaying them as text.

The most common HTML entities are &lt; for <, &gt; for >, &amp; for &, and &quot; for double quotes. These are called named entities. HTML also supports decimal entities (&#60; for <) and hexadecimal entities (&#x3C; for <). This tool handles all three formats when decoding.

HTML encoding is critical for security. Cross-site scripting (XSS) attacks work by injecting malicious HTML or JavaScript into web pages. By encoding user input before displaying it, you prevent browsers from executing injected code. Every web framework includes HTML encoding for this reason.

Common use cases include displaying code snippets in blog posts, safely rendering user-generated content, preparing text for HTML emails, and escaping strings for use in HTML attributes. This tool encodes the six most dangerous characters: < > & " ' / and `.

All encoding and decoding runs in your browser. Your text is never sent to a server, making this tool safe for sensitive content like code snippets with API keys or private HTML templates.

Frequently Asked Questions

Related Tools

HTML FormatterMarkdown PreviewBase64 EncoderURL Encoder/DecoderUnicode Escape/Unescape