Encode special characters to HTML entities or decode HTML entities back to readable text. This free online tool converts reserved HTML characters like <, >, &, and " to their entity equivalents, helping prevent Cross-Site Scripting (XSS) attacks. Supports both named entities (&) and numeric entities (&). All processing happens in your browser — nothing is sent to a server.
| Char | Named | Numeric | Description |
|---|---|---|---|
| & | & | & | Ampersand |
| < | < | < | Less than |
| > | > | > | Greater than |
| " | " | " | Double quote |
| ' | ' | ' | Single quote |
| |   | Non-breaking space | |
| © | © | © | Copyright |
| — | — | — | Em dash |
| → | → | → | Right arrow |
| … | … | … | Ellipsis |
<, >, &) or characters not available on a standard keyboard (like ©, €, →). They follow the format &name; or &#number;. Without entities, browsers would misinterpret these characters as HTML tags or markup, breaking the page layout or creating security vulnerabilities.< and > into their entity equivalents (< and >), so the browser renders them as visible text instead of executing them as code. This is a critical defense — always encode user-generated content before inserting it into HTML. The OWASP Top 10 lists XSS as one of the most common web vulnerabilities.& → &) for safe display inside HTML documents. URL encoding converts characters to percent-encoded format (space → %20) for safe use in URLs. They serve different purposes: HTML encoding prevents markup injection in web pages, URL encoding ensures special characters are transmitted correctly in URLs. They are not interchangeable.& are more human-readable but not every character has a named version. Numeric entities — decimal (&) or hexadecimal (&) — work for any Unicode character. For common entities (<, >, &), use named versions for readability. For uncommon or Unicode characters, use numeric entities. Both are valid in all modern browsers and HTML5.<meta charset="UTF-8"> in your HTML <head>. Over 98% of websites use UTF-8 as of 2026.