HTML Entity Encoder
Encode and decode HTML entities — convert <, >, &, " and ' to their entity equivalents and back. Essential for safe HTML and template code.
About This Tool
HTML entities are text representations of characters that have special meaning in HTML markup. Characters like <, >, &, and " must be escaped when placed in HTML content to prevent the browser from misinterpreting them as markup. QuickKit's HTML Entity Encoder/Decoder converts between raw text and entity-encoded HTML, making it easy to safely embed user-generated content or decode HTML-encoded strings for inspection.
Features
- ✓Encode & Decode — Encode raw text into HTML entities, or decode HTML entities back to plain text — switchable with a tab.
- ✓Encodes Five Critical Characters — Handles & < > " and ' — the five characters required for safe HTML embedding per OWASP guidelines.
- ✓Safe Decode via DOM — Decoding uses the browser's native HTML parser to correctly handle all named, decimal, and hex entities.
- ✓One-click Copy — Copy the encoded or decoded result to your clipboard instantly.
- ✓Fully Private — All encoding and decoding is done client-side in your browser — no server processing.
FAQ
- Why do I need to encode HTML entities?
- Without entity encoding, characters like < and > in user-provided text would be interpreted as HTML tags, breaking the page layout and potentially enabling XSS (Cross-Site Scripting) attacks. Encoding & as &, < as <, > as >, and " as " ensures the characters are rendered as visible text rather than parsed as markup.
- What is XSS and how does entity encoding help?
- Cross-Site Scripting (XSS) is a vulnerability where an attacker injects malicious scripts into a web page viewed by other users. If a site outputs user input into HTML without encoding, an attacker could inject <script>…</script> tags that run in victims' browsers. Encoding all special characters before inserting into HTML prevents this by turning the angle brackets into < and >, which the browser displays as text rather than executing.
- What is the difference between & and &?
- & is a named entity reference for the ampersand character. & is the decimal numeric character reference for the same character (Unicode code point 38). & is the hexadecimal form. All three produce the same & character in the browser. Named entities are more readable; numeric references work for any Unicode character even without a named form.
- Does this handle all Unicode characters?
- The encoder handles the five standard HTML special characters (& < > " '). It does not convert extended Unicode characters to entities like é or é. Modern HTML documents should be declared with UTF-8 charset (the default in HTML5), making it unnecessary to encode extended characters as entities — just use them directly in the HTML source.