What is the difference between named, decimal, and hex entities?

Named entities use a mnemonic name (&, <, ). Decimal numeric entities use the Unicode code point in base 10 (& for &). Hex numeric entities use the code point in hexadecimal (& for &). All three forms are valid HTML5 and produce identical output in the browser.

Which characters should I encode?

At a minimum, always encode & as &, as > when they appear as literal text content. Additionally encode " and ' inside attribute values. This encoder also encodes all non-ASCII characters, which can be useful for ASCII-only HTML sources.

Is it safe to decode untrusted HTML entities?

The decoder expands entity sequences back to their characters - it does not render HTML. The decoded text is plain text, not injected into the DOM, so there is no XSS risk from using this tool.

HTML Entity Encoder / Decoder

What are HTML entities?

An HTML entity is a text string that begins with an ampersand (&) and ends with a semicolon (;). Entities represent characters that have special meaning in HTML markup, such as the less-than sign (<) and the ampersand itself, or characters that are difficult to type directly, such as non-breaking spaces or accented letters.

Without entity encoding, a stray < or & in text content can confuse the browser's HTML parser, causing rendering errors or, in the worst case, creating an XSS vector when user-supplied text is inserted into a page.

Named, decimal, and hex entities

HTML5 supports three entity formats, all of which produce identical output in the browser:

Named: uses a mnemonic name: &, <, >, ", ',  . Named entities exist only for a fixed set of characters. For all other characters this tool falls back to hex notation.
Decimal: uses the Unicode code point in base 10: & for &, < for <. Works for any Unicode character.
Hex: uses the code point in hexadecimal: & for &, < for <. Preferred in CSS and SVG contexts and by most minifiers.

Which characters are encoded?

This tool encodes characters that require escaping for safe HTML output:

& -> &: must always be escaped
< -> <: prevents accidental tag interpretation
> -> >: prevents closing tag confusion
" -> ": safe inside double-quoted attributes
' -> ': safe inside single-quoted attributes
All non-ASCII characters (code points above U+007F): ensures ASCII-only HTML source compatibility

Common use cases

Sanitizing user input for HTML insertion: encode text content before inserting it into a web page to prevent cross-site scripting (XSS).
Writing HTML by hand: encode special characters in content so the browser renders them literally rather than interpreting them as markup.
Debugging encoded HTML: paste a snippet full of entities into Decode mode to read it as plain text.

Security framing: XSS prevention

Failing to HTML-encode user-supplied input before inserting it into the DOM is the root cause of Cross-Site Scripting (XSS), consistently ranked as one of the most common and impactful web vulnerabilities (OWASP Top 10). An attacker who can inject <script> tags or event handlers via unescaped input can steal session cookies, redirect users, or perform actions on their behalf. Always encode output at the point of insertion - not just at the point of input.

Content Security Policy (CSP)

HTML entity encoding alone is not sufficient to prevent all XSS attack vectors. Browsers support a Content-Security-Policy response header that specifies which sources of scripts, styles, and other resources are trusted. A strict CSP (e.g., script-src 'self') provides a critical defense-in-depth layer that limits the damage if encoding is missed or bypassed. Use both encoding and CSP together.