Tools
HTML Encoder / Decoder
Paste HTML into the source pane and choose how to convert it: encode special characters to numeric entities, decode them back, or escape tag characters for safe display in a code block.
About the HTML Entities Encoder / Decoder
HTML Entities Encoder / Decoder converts text between raw characters and HTML entity references, in four modes: Encode Entities, Decode Entities, Encode Tags, and Decode Tags. The two entity modes handle a wide character range — every printable character from space through a large CJK block, plus <, >, and & — turning each into its decimal numeric entity (<) or back again. The two tag modes only touch the eight characters that can break HTML markup: &, <, >, ", ', the backtick, =, and / — converting them to a mix of named (&) and numeric (') entities, and leaving everything else as-is.
Each mode is a single regular-expression replace over the input — there's no HTML parser or hidden DOM element involved. encodeHtmlEntities matches /[ -香<>&]/g and rewrites every hit to &# plus its UTF-16 code unit; decodeHtmlEntities only reverses &#(\d+); (decimal), so it leaves hex (/) and named (&) entities untouched. encodeHtmlTags/decodeHtmlTags use a fixed lookup table for the eight tag characters instead. Because the range tested tops out at U+9999, characters beyond it — most emoji and some rarer CJK/Hangul — pass through Encode Entities unescaped. The whole page runs client-side: nothing you paste is sent to a server.
Use Encode Tags before dropping a code sample or user-submitted markup into a <pre>/<code> block, so the browser renders it as visible text instead of parsing it as a real tag. Use Encode Entities when you need an ASCII-safe payload for something like an email template or CSV export, since it flattens accented and CJK characters to &#NNN; too, not just markup-special ones. Match your decode mode to whichever encode mode produced the string — Decode Entities won't touch the named or hex entities that Encode Tags outputs, and you'll get partially-decoded garbage instead of the original text.
Examples
Source:
<script>alert('xss')</script>
Result (Encode Tags):
<script>alert('xss')</script>Only the eight tag-breaking characters change — the letters in alert, xss, and script are untouched. This is the form to use before dropping a code sample into a <pre> or <code> block.
Source:
<p>Café 世界</p>
Result (Encode Entities):
<p>Café 世界</p>Every character became a decimal entity, including plain letters, the accented é, and the CJK characters — not just <, >, and &. Encode Tags on the same input would leave Café 世界 untouched and only escape the angle brackets and slash: <p>Café 世界</p>.
Source:
& / '
Result (Decode Entities):
& / 'Only ' matches the decimal pattern &# + digits + ;, so it's the only one decoded back to '. The named entity & and the hex entity / pass through unchanged — reverse those with Decode Tags instead.
Frequently asked questions
Why do I need to encode HTML entities in the first place?
Characters like <, >, and & have special meaning in HTML, so a browser parses a literal <div> inside a text string as a real tag rather than displaying the four characters <div>. Replacing them with entity references — < (named) or < (numeric) — tells the browser to render the literal character instead of treating it as markup.
What's the difference between encoding HTML entities and encoding HTML tags?
Encode Entities converts every character in a wide range — plain letters, accented characters, CJK text, plus angle brackets and ampersands — into decimal numeric entities like <. Encode Tags only escapes the eight characters that can break HTML markup (ampersand, angle brackets, quotes, backtick, equals sign, and slash), leaving normal text untouched and using named entities like & where one exists.
Why doesn't Decode Entities undo output from Encode Tags?
Decode Entities only reverses decimal numeric entities matching &# followed by digits and a semicolon, such as '. Encode Tags produces a mix of named entities (&, <) and hex entities (/, `), neither of which match that pattern. Use Decode Tags to invert Encode Tags output, and Decode Entities to invert Encode Entities output.
Is it safe to paste sensitive HTML or source code into an online HTML encoder?
Yes. All four conversions — Encode Entities, Decode Entities, Encode Tags, and Decode Tags — run as plain JavaScript string replacement in your browser tab. There's no network request, so pasted content is never uploaded anywhere.
Does HTML entity encoding handle emoji and other Unicode characters correctly?
This tool's Encode Entities mode covers characters from space up to U+9999, a boundary inside the CJK block, so most emoji and some rarer CJK or Hangul characters fall outside it and pass through unescaped rather than becoming numeric entities.