Konverter
HTML Entities
The HTML Entities tool encodes special characters into their HTML entity equivalents (e.g. < becomes <) and decodes HTML entities back to plain text. It supports both named entities (&, ©, é) and numeric entities in both decimal (©) and hexadecimal (©) form. The tool is essential for safely inserting user-supplied content into HTML pages and for displaying reserved characters in web content.
What are HTML entities?
HTML entities are special text sequences used to represent characters that have a reserved meaning in HTML or that cannot be typed directly. An entity begins with an ampersand (&) and ends with a semicolon (;). The five reserved HTML characters are < (less-than), > (greater-than), & (ampersand), " (double quote), and ' (apostrophe). Beyond reserved characters, entities can represent any Unicode code point, making them useful for inserting symbols, accented letters, and mathematical notation without relying on a specific character encoding.
How does the tool work?
In encode mode, the tool scans the input text character by character. Characters that have a defined named HTML entity are replaced with that entity; all other non-ASCII characters are replaced with their decimal or hexadecimal numeric entity depending on your setting. The five mandatory HTML characters (<, >, &, ", ') are always encoded regardless of mode. In decode mode, the tool uses a reverse lookup table to replace all named and numeric entities with their corresponding Unicode characters, producing clean plain text.
Typical Use Cases
- Escaping user-generated content before inserting it into HTML to prevent XSS attacks
- Displaying code samples or angle-bracket characters in HTML pages without breaking the markup
- Converting characters like © or ™ to named entities for maximum compatibility with old email clients
- Decoding entity-encoded HTML from scraped web pages or legacy CMS exports
Step-by-step Guide
- Step 1: Paste the text or HTML into the input field.
- Step 2: Choose 'Encode' to convert characters to entities, or 'Decode' to do the reverse.
- Step 3: Optionally select named entities vs. numeric entities for the encode output.
- Step 4: Copy the result to your clipboard using the copy button.
Example
Input
<script>alert('XSS')</script>
Output
<script>alert('XSS')</script>
Tips & Notes
- Always encode user-provided strings before inserting them into HTML to prevent cross-site scripting (XSS) vulnerabilities.
- Prefer named entities (<, &) for the five reserved characters as they are more readable and universally supported.
- In modern UTF-8 encoded pages, numeric entities are rarely needed for accented characters – just use the characters directly.
Frequently Asked Questions
What is the difference between &lt; and <?
< is the named entity for the less-than sign (<), while < is its decimal numeric entity and < is the hexadecimal form. All three are equivalent and render the same character in the browser.
Does HTML entity encoding prevent all XSS attacks?
It prevents XSS in HTML contexts. However, you need context-aware escaping: JavaScript strings require JavaScript escaping, CSS values require CSS escaping, and URL parameters require URL encoding. Use a proper templating engine or security library that handles all contexts.
Are HTML entities the same as XML entities?
XML defines only five predefined entities (<, >, &, ", '). HTML adds hundreds of named entities on top of those. XML parsers will reject HTML-only named entities unless a DOCTYPE or entity declaration is present.
HTML Entities
Encode or decode HTML entities — replace special characters such as <, >, &, and " with their HTML equivalents and vice versa.
Open Tool