& HTML Entity Decoder — Decode HTML Online

Decode HTML entities like &amp; &lt; &gt; back to readable text. Also encode text to named, decimal, or hex entities. 100% browser-based.

Paste HTML-encoded text like &lt;div&gt; and click Decode to get back readable <div>. Or switch to Encode mode to convert special characters to safe HTML entities before inserting user content into your HTML pages to prevent XSS.

Non-ASCII only

Input

Output

How to Use

Paste your text

Paste HTML, code, or any text containing characters you want to encode or entity codes you want to decode.

Choose mode

Select Encode (text → entities) or Decode (entities → text). Toggle "Non-ASCII only" for partial encoding.

Copy the result

The output updates instantly. Click Copy to clipboard to use in your project.

Frequently Asked Questions

What are HTML entities? +

HTML entities are codes used to represent characters that have special meaning in HTML, or characters that are difficult to type. For example, < becomes <, > becomes >, & becomes &, and © becomes ©. They prevent browsers from misinterpreting content as markup.

What is the difference between named and numeric entities? +

Named entities use descriptive names (&, ©, ®). Numeric decimal entities use the character's Unicode code point (&#38; for &). Numeric hex entities use the hex form (&). All three represent the same characters; named is most readable, numeric works for any character.

What does "encode only non-ASCII" mean? +

When enabled, only characters outside the standard ASCII range (above code point 127) are encoded. ASCII-safe HTML characters like < > & are left as-is. Useful when you want to safely include international text in HTML without encoding every character.

When should I encode HTML entities? +

Always encode user-generated content before inserting it into HTML to prevent XSS attacks. Encode characters in HTML attributes, especially those that accept URLs. Encode < > & " in any text that will be rendered inside HTML tags.

Is my text sent to a server? +

No. All encoding and decoding runs entirely in your browser using JavaScript. Your text never leaves your device.

Complete Guide: HTML Entity Encoder / Decoder

HTML entity encoding is the process of replacing special characters with their safe HTML representations. It is one of the most fundamental security practices in web development — and one of the most commonly misunderstood.

The 5 Characters That MUST Be Escaped in HTML

Five characters have special meaning in HTML and must always be escaped when appearing as data content:

& (ampersand) → & — must be escaped first to avoid double-encoding other entities
< (less-than) → < — starts HTML tags
> (greater-than) → > — ends HTML tags
" (double quote) → " — delimits attribute values in double-quoted attributes
' (single quote / apostrophe) → ' or ' — delimits attribute values in single-quoted attributes

Failing to escape even one of these can introduce a cross-site scripting (XSS) vulnerability.

Named Entities vs Numeric Entities

HTML entities come in two forms:

Named entities: &, <, ©, € — human-readable, defined in the HTML spec
Decimal numeric entities: < (for <), © (for ©) — always valid in any HTML version
Hexadecimal numeric entities: < (for <), © (for ©) — same as decimal but in hex notation

Named entities require the HTML parser to look up the name in a table. All three forms produce identical output in the browser. Numeric entities are useful for characters that don't have named equivalents.

Context Matters: Where You're Encoding

The encoding rules change depending on where in the HTML document you're inserting data:

HTML text node (between tags): escape &, <, >
HTML attribute value (double-quoted): escape &, <, >, "
HTML attribute value (single-quoted): escape &, <, >, '
URL context (href attribute): use percent-encoding, not HTML entities — then HTML-encode the whole attribute value
JavaScript context (inline script): HTML encoding is insufficient — use JSON encoding or a dedicated JavaScript escaper

PHP: htmlspecialchars vs htmlentities

PHP offers two common encoding functions:

// htmlspecialchars: encodes only the 5 critical characters
$safe = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');

// htmlentities: encodes ALL characters with HTML entity equivalents
$encoded = htmlentities($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');

For UTF-8 documents, htmlspecialchars is almost always the correct choice. With UTF-8, all characters can be represented directly — there is no need to encode them as HTML entities. Using htmlentities on UTF-8 content produces unnecessarily verbose output like é instead of just é.

Always pass ENT_QUOTES | ENT_HTML5 and specify the charset explicitly to avoid encoding issues.

JavaScript: The DOMParser Trick for Decoding

To decode HTML entities in JavaScript without a library, you can use the browser's own HTML parser:

function decodeHTMLEntities(text) {
  const doc = new DOMParser().parseFromString(text, 'text/html');
  return doc.documentElement.textContent;
}

decodeHTMLEntities('&lt;strong&gt;Hello&lt;/strong&gt;');
// Returns: "<strong>Hello</strong>"

Warning: never use innerHTML to decode entities on user-supplied strings — this creates XSS risk. The DOMParser approach is safe because it returns textContent, not markup.

Emoji and Unicode Code Points

Emoji and other Unicode characters outside the Basic Multilingual Plane (BMP) have code points above U+FFFF. In HTML, they can be represented as numeric entities: 😀 for 😀 (U+1F600). However, since HTML5 requires UTF-8 encoding, there is no practical reason to encode emoji as entities — include them directly in your source.

Related tools: Base64 Encoder for binary-safe encoding, and URL Encoder for percent-encoding strings for use in URLs.