ToolHub

HTML Entity Encode / Decode

Escape/unescape HTML entities.

Runs locally in your browser by default; no upload.
Guide for this tool →

ToolHub ProRemove ads and unlock one-click file export on text-output tools below (image tool keeps its own download).

Input
Output

You may also need

Base64 Encode / DecodeURL Encode / DecodeJWT Decode (no verify)Base64URL Encode / DecodeHex EncodeHex Decode

About

Encode or decode HTML entities (e.g. < > & "). Helpful for safely displaying user input in HTML, debugging templates, and sanitizing snippets for docs. Runs locally in your browser.

Use cases

  • Escape a snippet before pasting it into an HTML page or CMS editor.
  • Decode entities from RSS/HTML sources to read the real text.
  • Prepare safe examples for documentation without executing markup.

Common pitfalls

  • Double-encoding is common (e.g. &). Decode repeatedly until it stabilizes.
  • Correct escaping depends on context; HTML entity encoding is not a universal XSS solution.

Examples

Input

<div>Hello & "world"</div>

Output

&lt;div&gt;Hello &amp; &quot;world&quot;&lt;/div&gt;

FAQ

Why encode entities?

To safely render text that may contain <, >, &, quotes, etc. Encoding reduces the risk of HTML injection when displaying user input.

Does this execute HTML?

No. It only transforms strings.

Is entity-encoding enough to prevent XSS?

It helps for HTML text contexts, but XSS prevention depends on context. Always escape correctly for attributes/URLs/JS contexts too.

Why do I still see &amp; in my output?

Your input might be double-encoded. Decode once to remove the extra layer.

Limitations

  • Entity encoding helps prevent injection in HTML contexts, but XSS prevention still requires correct escaping per context (HTML, attributes, JS, URLs).

Recommended

Affiliate slots. Configure real links via environment variables.

No recommendations configured.