What HTML Entity Encoding Is
Some characters have special meaning in HTML: < starts a tag, & starts an entity, " delimits attributes. To use these as literal text inside HTML — say you want to display "1 < 2" on a page — they have to be encoded as named or numeric entities: < for <, & for &, " for ".
The Microapp HTML Encoder/Decoder converts in either direction. Encode any text to make it safe for embedding in HTML; decode an HTML string back to readable text. Browser-based, your input never leaves your device.
How to Use It
- Paste your text or HTML into the input box.
- The encoded (or decoded) version appears instantly in the output.
- Use the toggle to switch direction.
- Click "Copy" to put the result on your clipboard.
<p>Tom & Jerry "rule"!</p>:<p>Tom & Jerry "rule"!</p>This is now safe to paste into HTML — it'll display as the literal text "<p>Tom & Jerry "rule"!</p>" instead of being interpreted as a paragraph tag.
The Most Common Entities
| Character | Named entity | Numeric entity | When to encode |
|---|---|---|---|
< | < | < | Always (would otherwise start a tag) |
> | > | > | Inside text content (sometimes optional) |
& | & | & | Always (would otherwise start an entity) |
" | " | " | Inside double-quoted attributes |
' | ' (XML) or ' | ' | Inside single-quoted attributes |
© | © | © | For older systems that don't render UTF-8 |
® | ® | ® | Same as above |
— | — | — | Em dash — preferred when source encoding is uncertain |
| |   | Non-breaking space (prevents line break) |
When to Encode
User-generated content. If users can submit text that gets displayed on your site (comments, profile bios, forum posts), encoding it before display is the most fundamental XSS defense. Without encoding, a user submitting <script>alert('hi')</script> can run code on every visitor's browser.
Code samples in documentation. Showing HTML code in a docs page means the example HTML must be encoded — otherwise the browser tries to render it instead of displaying it as literal text.
Email templates with dynamic content. User names, dynamic prices, anything personalized — encode before injecting into the template.
Pasting code from one CMS to another. Some CMSes encode angle brackets in code blocks; others don't. Round-tripping content can sometimes leave double-encoded entities (&lt;). Decode first to spot it.
Common Pitfalls
Double-encoding. Encoding an already-encoded string produces nonsense (&lt; instead of <). Decode first if there's any chance the input is already encoded.
Unicode characters and entity equivalents. Modern browsers render UTF-8 directly — you don't need to encode café as café. The named entities exist for legacy compatibility; in 2026, just use the actual characters in UTF-8 source files.
Confusing HTML entities with URL encoding. They're different. HTML entities encode characters for display in HTML. URL encoding (%20 for space, etc.) encodes characters for use in URLs. The two are not interchangeable. Use the URL Encoder/Decoder for URL-specific work.
Apostrophes in HTML vs XML. ' is XML-only — it isn't part of HTML 4 (added in HTML5). For maximum compatibility, use ' instead of '.
Related Tools
For URL-specific encoding (percent-encoding for query strings and paths), use the URL Encoder/Decoder. To work with binary data encoded as text, the Base64 Encoder/Decoder is the right tool. For converting Markdown to HTML before encoding entities, see the Markdown to HTML converter.