HTML Entity Encoder & Decoder
Escape the five characters that need HTML encoding (&, <, >, ", ') and decode entities back to plain text.
The five characters that always matter
| Character | Named entity | Numeric entity | Why escape? |
|---|---|---|---|
& | & | & | Starts every other entity — always first. |
< | < | < | Opens HTML tags. |
> | > | > | Closes HTML tags (defensive). |
" | " | " | Breaks attribute boundaries. |
' | ' | ' | Breaks single-quoted attributes. |
This is an XSS-prevention primitive, not a complete defense. Escaping is context-sensitive — HTML attribute, JavaScript string, and URL contexts each require different rules. See OWASP's XSS Prevention Cheat Sheet for the full picture, and our reference on Cross-Site Scripting.
FAQ
Named or numeric entities?
Both are valid. Numeric entities (e.g. ' for an apostrophe) work everywhere. Named entities (') are sometimes shorter but a few are unsafe in legacy parsers — ' isn't defined in HTML4.
Do I need to encode every Unicode character?
No. Modern HTML files served as UTF-8 can contain any Unicode character directly. Only encode the five HTML-significant characters and any characters that confuse your target charset.