What characters get encoded?

becomes >, & becomes &, " becomes ", and ' becomes '. These are the five characters that can break HTML rendering or introduce XSS vulnerabilities.

Is this tool safe for sanitizing user input?

For display purposes, yes. For server-side security, always use a server-side library — client-side sanitization can be bypassed by attackers who modify requests.

HTML Encode / Decode

Advertisement728 × 90

Plain text0 chars · 0 B

Encoded HTML

Advertisement728 × 90

About HTML Encode / Decode

Convert raw HTML to safely-escaped entities (< > & ") or decode entities back to their original characters. Essential for displaying code samples in HTML, preventing XSS vulnerabilities, and sanitizing user-generated content before rendering. Handles all named and numeric HTML entities.

All processing happens entirely in your browser using modern web APIs. Nothing is uploaded to our servers — your data stays local and private. Free to use forever.

Common use cases

Displaying HTML source code inside a <pre> or <code> tag without it being parsed
Sanitizing user input before inserting into HTML to prevent XSS attacks
Decoding HTML entities from scraped web content or RSS feeds
Preparing HTML snippets for embedding in emails or markdown documents
Debugging double-encoded HTML from templating engines

How it works

Encoding uses a textarea element's textContent/innerHTML trick to leverage the browser's native HTML entity encoder — the same engine used by the browser itself. Decoding uses the reverse: inserting the encoded string as innerHTML and reading back the textContent. This ensures 100% compatibility with all named and numeric entities.

LearnHTML entities and escaping: &, <, and when you need them

About HTML Encode / Decode

Common use cases

How it works

You might also need