OpenReplay Logo
12k

HTML entity encoder/decoder

Encode and decode HTML entities online — named, decimal, or hex — processed locally so nothing you paste ever leaves your browser.

Output
Scope
Processed locally

About this tool

HTML entities are escape sequences that represent characters which would otherwise be parsed as markup or can't be typed reliably — < for the less-than sign, & for the ampersand,   for a non-breaking space, and numeric forms like   (decimal) or   (hex) for any Unicode code point. Encoding converts a raw character to its entity; decoding resolves an entity back to the character. This tool encodes in named, decimal, or hex output and decodes all three forms, including the common named set and astral characters such as emoji.

Use it to safely embed user-generated strings, code samples, or quotes in HTML without breaking the page or opening an XSS hole; to repair text that arrived double-encoded as &amp;amp; from a mis-configured template; to inspect a numeric reference like &#8212; and see it's an em dash; or to translate accented and symbol characters into ASCII-only entities for older email and feed pipelines. Encoding escapes only & < > " ' by default, or every non-ASCII character when you turn on the full scope.

Encoding HTML entities is for safe display, not security — entity-encode untrusted input at the point it's rendered into HTML, and rely on a real sanitizer plus a Content Security Policy to stop XSS.

Frequently asked questions

What is the difference between named, decimal, and hex HTML entities?

They are three notations for the same character. Named entities like &copy; are human-readable but only exist for a fixed set of characters; decimal (&#169;) and hexadecimal (&#xA9;) numeric references work for any Unicode code point, so any character can always be expressed numerically.

Which characters must be encoded as HTML entities?

At minimum the five that are significant to the HTML parser: & (&amp;), < (&lt;), > (&gt;), " (&quot;), and ' (&apos;). Encoding the ampersand first is essential, otherwise existing entities get double-encoded. Other characters are optional and only needed for ASCII-only transport.

Why does my text show &amp; instead of &?

That is double-encoding: the ampersand was escaped twice, usually because already-encoded HTML was run through an encoder again. Decoding the text one pass turns &amp;amp; back into &amp;, and a second pass yields the literal & — this tool decodes a single level per run so you can unwind it step by step.