What is the difference between named and decimal HTML entities?

Named entities use readable names like < for <. Decimal entities (&) work for any Unicode character. Hex entities (&) are the same in hexadecimal notation. Only a limited subset of characters has named entities.

Why do I need to encode HTML entities to prevent XSS?

Without encoding, characters like , and & in user input are interpreted as HTML markup. An attacker can inject script tags and execute malicious JavaScript. HTML encoding converts these characters to safe entity representations.

When should I use HTML-safe mode vs full encoding?

HTML-safe mode encodes just the 5 characters that cause XSS: & " and '. This is sufficient for most use cases. Use full encoding (decimal or named) for email templates, XML compatibility, or maximum character set portability.

What is and when should I use it?

is the non-breaking space (Unicode U+00A0). It prevents line breaks between two words and stops space collapsing. Use CSS for layout spacing rather than chaining entities.

What is the difference between HTML encoding and HTML escaping?

HTML encoding replaces characters with HTML entity representations. Escaping is a broader term for making text safe for a specific context. For HTML output use encoding; for JavaScript strings, SQL, or URLs use context-appropriate escaping.

How does the decoder handle mixed entity types?

The decoder uses the browser's built-in HTML parser via innerHTML/textContent, which correctly decodes named, decimal, and hex entities in any combination in the same string.

What does the expansion ratio in the stats row mean?

The ratio shows how much longer the encoded output is compared to the input. A 6.00x ratio for < characters means each < was replaced by < (6 chars), making the output 6 times longer.

HTML Entity Encoder & Decoder

Encode any text to HTML entities — named, decimal, or hex — to prevent XSS when displaying user content in HTML. Decode entity-encoded HTML back to plain text. Includes a live character-by-character reference table and five encoding modes for different use cases. Everything runs in your browser with no data sent to any server. For other common encoding tasks, see the tools for SQL formatting and JSON data validation.

Encode mode:

Input Text

Input: 0 chars Output: 0 chars Ratio: 1.00x

Encoded Output

Your encoded output will appear here…

Character Reference — First 20 characters of input

Char	Code Point	Decimal Entity	Hex Entity	Named Entity
Type text above to see character reference

How to Use the HTML Entity Encoder

Click Encode to convert text to HTML entities, or Decode to convert entities back to plain text.
In Encode mode, select an encoding mode from the dropdown: HTML-safe only, named entities, decimal entities, hex entities, or all non-ASCII.
Type or paste your text into the input field — the encoded output appears instantly below.
The stats row shows input length, output length, and the expansion ratio.
The character reference table shows the first 20 characters with their code points and all entity formats side-by-side.
Click Copy Output to copy, Clear to reset, or Swap to move the output back into the input for chained operations.

Key Features

Five encoding modes: HTML-safe, named entities, decimal entities, hex entities, all non-ASCII
Full HTML decoding — handles named, decimal, and hex entities in any combination
Live character-by-character reference table for the first 20 input characters
Input/output stats: character count and expansion ratio
Swap button for chained encode/decode operations
Works entirely offline — no data sent to any server

Use Cases

Encode user input before inserting into HTML to prevent XSS

Cross-Site Scripting occurs when user-supplied text containing <, >, or & is inserted into HTML without encoding. Use HTML-safe mode to encode these five critical characters before rendering any user-controlled content — form inputs, URL parameters, database values, or API responses.

Encode special characters for HTML email templates

HTML emails must use named or decimal entities for characters outside the ASCII range to ensure correct rendering across email clients. Select "All non-ASCII as decimal" mode to encode accented letters, currency symbols, arrows, and typographic quotes for maximum compatibility.

Decode HTML entities from scraped web content

Web scrapers frequently retrieve content that contains HTML entities like &,  , or “. Switch to Decode mode to convert these back to their plain-text characters before storing, displaying, or processing the scraped data. A regular expression tester is useful for extracting specific entity patterns from larger blocks of scraped text.

Convert special characters for XML and XHTML

XML is strict about characters that must be escaped: &, <, >, ", and '. Use HTML-safe mode or decimal mode to generate valid XML-safe entities from arbitrary text input.

Study Unicode code points with the character reference table

The character reference table shows the Unicode code point, decimal entity, hex entity, and named entity for each character in your input. This is a practical learning tool for understanding how characters are represented at the binary level in HTML documents.

FAQ's

Named entities use human-readable names: & for &, < for <, © for ©. Only a limited subset of characters has named entities. Decimal entities (&) work for any Unicode character since they reference the code point numerically. Hex entities (&) are identical but use hexadecimal notation.

Without encoding, characters like <, >, and & in user-supplied content are interpreted by the browser as HTML markup. An attacker can inject a <script> tag and execute arbitrary JavaScript in the victim's browser, stealing session cookies, redirecting to phishing pages, or performing actions on the user's behalf. HTML encoding neutralizes these characters by converting them to their entity representations.

Use HTML-safe mode for the vast majority of cases — encoding the five special characters (< > & " ') is sufficient to prevent XSS when inserting text into HTML. Use full encoding (decimal or named entities) when you need maximum portability across character sets, are targeting email clients with limited Unicode support, or are working with XML/XHTML that must be ASCII-safe.

Yes. All encoding and decoding happens locally in your browser using JavaScript. No data is ever sent to any server. Once the page has loaded, you can disconnect from the internet and the tool continues to work without interruption.

  is the non-breaking space entity (Unicode U+00A0). It prevents the browser from collapsing multiple spaces and stops line breaks between adjacent words. Use it sparingly for cases where breaking between two words would be wrong (e.g., "10 km" or "Fig. 1"). For layout spacing, use CSS (margin, padding, gap) rather than chains of  .

HTML encoding specifically means converting characters to HTML entity representations (< etc.). HTML escaping is a broader term covering all techniques for making text safe in a specific context. For HTML output, encoding is the correct technique. For JavaScript strings, SQL queries, or URL components, different escaping rules apply. Always use the context-appropriate technique.

The decoder uses the browser's built-in HTML parser by assigning the encoded string to a temporary DOM element's innerHTML and reading back the textContent. This correctly decodes named entities (&), decimal entities (&), and hex entities (&) — all in the same string — just as a browser would when rendering HTML.

The ratio shows how much longer the encoded output is compared to the input. A ratio of 1.00x means no expansion (the text has no characters that need encoding). A ratio of 6.00x for a string of five < characters means each was replaced by < (6 characters), making the output 6× the length of the input. This helps you estimate the storage and bandwidth impact of encoding.

HTML entity encoding is a foundational security practice that every web developer should understand, yet it is often confused, overlooked, or applied inconsistently. Toolaroid's HTML Entity Encoder clarifies the differences between encoding modes with real-time output, shows the exact character reference for every code point in your input, and handles both encoding and decoding in one tool. Whether you are sanitizing user-generated content for a CMS, preparing text for an HTML email template, debugging double-encoded entities in scraped data, or simply learning how HTML represents special characters, this tool provides the immediate feedback that makes the concept concrete.