CorexoTools

HTML Entity Encoder

Encode HTML special characters or decode HTML entities back to readable text.

&to&
<to&lt;
>to&gt;
"to&quot;
'to&#39;
`to&#96;

What are HTML Entities?

HTML entities are text-safe representations of characters that have a special meaning in HTML or that cannot easily be typed. A browser reads certain characters — most importantly the angle brackets &lt; and &gt; and the ampersand &amp; — as instructions rather than as content. To show those characters as literal text on the page, they must be replaced with their entity form. An entity always starts with an ampersand and ends with a semicolon, for example &lt;for a less-than sign or &copy; for the copyright symbol.

This tool encodes in both directions. Encoding takes raw text and replaces the special characters with safe entities so the text displays exactly as written. Decoding does the reverse: it takes a string full of entities and turns it back into readable characters, which is useful when you receive escaped content from an API, a database, or a template.

How to Encode and Decode HTML

  1. Paste your text into the input field — it can be plain text or already-encoded content.
  2. Choose Encode to convert special characters into HTML entities.
  3. Choose Decode to convert entities back into their literal characters.
  4. Review the result, which updates as you work.
  5. Copy the output and paste it into your HTML file, CMS field, or code snippet.

When and Why to Encode HTML

The most important reason to encode is safety. Whenever user-supplied text is placed inside a web page — a comment, a username, a search term echoed back — it must be encoded first. If it is not, a visitor could enter something containing &lt;script&gt;tags that the browser would then execute. That is the basis of cross-site scripting (XSS), one of the most common web vulnerabilities. Encoding turns any markup the user typed into harmless visible text.

The second common use is documentation. To show a real HTML example on a page — say, to teach readers what a &lt;div&gt; tag looks like — the example itself must be encoded, otherwise the browser renders the tag instead of displaying it. Decoding is the everyday counterpart: when you pull a record from a database or an XML feed and see a string littered with &amp;amp; and &amp;quot;, decoding reveals the original text. A frequent mistake is double-encoding — encoding text that was already encoded — which produces visible &amp;amp;lt; sequences on the page. If you see that, decode once to fix it.

Frequently Asked Questions

Which characters actually need encoding?

At minimum the four characters with special meaning in HTML: &lt;, &gt;, &amp;, and the quotation marks used in attribute values. Other characters can be encoded for safety but are not strictly required in UTF-8 documents.

What is double-encoding and how do I fix it?

Double-encoding happens when already-encoded text is encoded again, turning &amp; into &amp;amp;. Run a single decode pass on the affected text to return it to the correct single-encoded form.

Does encoding protect me from all XSS attacks?

HTML entity encoding protects text placed in normal page content. Text placed inside attributes, URLs, or JavaScript needs context-specific escaping in addition. Encoding is a key defence but not the only one.

Is my text sent to a server?

No. Encoding and decoding happen entirely in your browser. The text you paste is never transmitted or stored.