Security Tools

HTML Entity Encoder/Decoder

Encode and decode HTML entities for web security testing and content manipulation

beginnerRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only
HTML entities
Encoded entities appear here…

Common HTML entities

Click to insert into input

Quick examples

Encode

Decode

About HTML entities

HTML entities represent reserved characters in markup — for example &lt; renders as <. Encoding prevents browsers from interpreting user input as HTML. All processing runs locally in your browser.

Entity encoding is not encryption — never rely on it alone to sanitize untrusted HTML before rendering.

Documentation

How to use this tool, practical use cases, and technical notes.

The HTML Entity Encoder/Decoder has a clean two-panel interface — input on the left, output on the right — with two operating modes and several power-user options. Here is a complete walkthrough of every feature.

Step 1 — Choose Your Mode

The tool opens in Encode mode by default. Select the appropriate mode at the top of the workspace before entering your text:

Mode

What It Does

When to Use

Encode to HTML entities

Converts plain text or raw HTML into HTML entity representations

Sanitizing user input, preparing text for HTML display, crafting encoded payloads

Decode from HTML entities

Converts HTML entity strings back into their original characters

Reversing encoded output, reading obfuscated HTML, debugging double-encoded content

Step 2 — Enter Your Input

Type or paste your content into the left panel (labeled "Plain text / HTML" in Encode mode, or the entity input in Decode mode). The input field accepts:

  • Plain text with special characters

  • Full HTML markup snippets

  • Mixed content (text + markup)

  • Numeric entities (decimal or hex) when in Decode mode

  • Named entities when in Decode mode

Input size: The tool handles content of any practical length. For very large inputs (multi-megabyte HTML files), browser performance may vary — for bulk operations on large files, a server-side script is more appropriate.

Step 3 — Configure Options

Before running the conversion, check the available options:

Option

What It Does

Default

When to Enable

Live mode

Processes input as you type, with no button click needed

Off

Quick single-character lookups; interactive exploration

Encode non-ASCII as numeric entities

Forces all non-ASCII characters (accented letters, symbols, non-Latin scripts) to be encoded as &#DDDD; decimal entities rather than left as UTF-8

Off

When targeting environments that cannot reliably handle UTF-8; legacy system compatibility; maximum encoding coverage for security testing

Step 4 — Run the Conversion

If Live mode is off, click the Encode or Decode button to process your input. The result appears instantly in the right panel.

Step 5 — Use Power Features

Swap: Click the Swap button to flip the input and output — useful when you want to immediately decode something you just encoded, or to iterate on a payload.

Clear: Resets both panels to empty, ready for a new input.

Common HTML entities panel: Eight pre-built entity buttons appear below the main panels. Click any to insert it directly into your input:

Button

Entity

Character

&amp;

Ampersand

&

&lt;

Less than

<

&gt;

Greater than

>

&quot;

Double quote

"

&#39;

Apostrophe

'

&nbsp;

Non-breaking space

(space)

&copy;

Copyright

©

&reg;

Registered

®

Quick examples panel: Six pre-loaded example inputs demonstrate common scenarios:

Example

Mode

Input

What It Demonstrates

HTML tag

Encode

<div class="alert">Hello</div>

Full tag encoding including attributes

Quotes

Encode

Say "hello" & 'goodbye'

Quote and ampersand encoding

Script snippet

Encode

<script>alert("xss")</script>

XSS payload encoding for security testing

Basic entities

Decode

&lt;p&gt;Hello &amp; welcome&lt;/p&gt;

Named entity decoding

Numeric

Decode

&#72;&#101;&#108;&#108;&#111;

Decimal numeric entity decoding (spells "Hello")

Mixed

Decode

&quot;Cyber&quot; &#8212; PentesterWorld

Mixed named and numeric entity decoding

Step 6 — Copy and Use Your Output

Select and copy the output from the right panel, or use your browser's standard copy shortcut. The output can be pasted directly into:

  • HTML templates and source code

  • Security testing tool inputs (Burp Suite Repeater, OWASP ZAP)

  • CMS content editors

  • Markdown or documentation files

  • Bug report write-ups

Understanding Encode Output: What Gets Encoded?

When you run the Encode function, here is exactly what the tool converts:

Character Type

Default Behavior

With "Encode non-ASCII" Enabled

& < > " '

Always encoded to named/numeric entities

Same

ASCII printable characters (letters, digits)

Passed through unchanged

Passed through unchanged

ASCII control characters

Encoded as numeric entities

Encoded as numeric entities

Accented Latin characters (é, ñ, ü)

Passed through as UTF-8

Encoded as &#DDDD; numeric entities

Currency symbols (€, £, ¥)

Passed through as UTF-8

Encoded as numeric entities

Non-Latin scripts (Arabic, Chinese, Cyrillic)

Passed through as UTF-8

Encoded as numeric entities

Emoji

Passed through as UTF-8

Encoded as numeric entities