Skip to content

Free HTML Entity Encoder — Escape HTML

Encode HTML entities and escape special characters (< > & " ') online — free, no signup, 100% in your browser. Named, decimal, or hex output; never uploaded.

No Tracking Runs in Browser Free

Your text is encoded locally in your browser and never uploaded, logged, or stored. It stays on this device.

Options · Format and encoding options
Entity format
0 characters
Encoded HTML
0 characters
Reviewed for entity-encoding spec correctness (named / decimal / hex), XSS-safe escaping of all five special characters in HTML and attribute contexts, the compatibility-safe ' apostrophe convention, no-network/no-storage privacy of the input, and accessibility (labelled controls, live-region announcements on encode and copy). — Go Tools Encoding Team · Jun 17, 2026

What Is HTML Entity Encoding?

HTML entity encoding — also called HTML escaping — is the process of replacing characters that have special meaning in HTML with a safe textual representation called an entity, so the browser displays them as literal text instead of interpreting them as markup. The five characters that matter most are the ones HTML uses to structure a document: the angle brackets < and > that open and close tags, the ampersand & that begins an entity, and the quotation marks " and ' that delimit attribute values. When any of these appears in content that should be shown rather than executed, it must be escaped, or the browser will misread the page — at best your text renders wrong, at worst an attacker slips in a <script> tag.

It helps to be precise about what this tool does. It encodes text into entities; it does not assemble or pretty-print a document. If you want to read a string of code on a page as plain text, or you are inserting user-supplied input into your HTML and need to neutralise it, this is the right tool. If instead you want to indent and tidy existing markup, that is the job of the HTML Formatter; and to turn entities back into characters, use the HTML Entity Decoder.

There are three ways to write any entity, and they are interchangeable. A named reference uses a human-friendly label (< for <, © for ©); a decimal numeric reference writes the character's Unicode code point in base 10 (< for <); and a hexadecimal reference writes the same code point in base 16 (< for <), matching the U+XXXX notation of the Unicode standard. Named entities read best but exist only for characters that have a defined name; numeric entities can represent any code point, which is why they are the safe fallback. The table below lists the entities you will reach for most often:

| Character | Named | Decimal | Hex | |-----------|-------|---------|-----| | < | &lt; | &#60; | &#x3C; | | > | &gt; | &#62; | &#x3E; | | & | &amp; | &#38; | &#x26; | | " | &quot; | &#34; | &#x22; | | ' | &#x27; | &#39; | &#x27; | | (space) | &nbsp; | &#160; | &#xA0; | | © | &copy; | &#169; | &#xA9; | | ® | &reg; | &#174; | &#xAE; | | ™ | &trade; | &#8482; | &#x2122; | | € | &euro; | &#8364; | &#x20AC; | | £ | &pound; | &#163; | &#xA3; | | — | &mdash; | &#8212; | &#x2014; | | – | &ndash; | &#8211; | &#x2013; | | … | &hellip; | &#8230; | &#x2026; | | é | &eacute; | &#233; | &#xE9; |

Note that the apostrophe is written ' (or ') rather than ': the named ' was only standardised in HTML5 and XML and is unsafe in older HTML4 parsers, so the numeric form — understood everywhere — is the compatible choice. This tool follows the same convention as the widely used he library, which is why the default output for ' is '.

The distinction between a character set and an entity is worth holding onto, because it explains the "Encode all non-ASCII" option. A charset (like UTF-8) determines how characters are stored as bytes; an entity is a way to write a character using only the plain ASCII characters & # ; and letters or digits. On a modern UTF-8 page, é, —, and 😀 are valid raw characters and need no entity at all — which is why the default mode leaves them alone. You only force them into entities when the text must pass through a system that cannot handle raw UTF-8, in which case every non-ASCII code point is rewritten as an ASCII-safe numeric or named reference. And because all of this runs in your browser, the markup you escape — even a private template or an unpublished draft — never crosses the network. For related conversions, the JSON Escape and Base64 Encode / Decode tools handle escaping for JavaScript strings and binary-safe transport respectively.

// Server-side templates auto-escape, but when you build HTML by hand you must escape yourself.
// The five reserved characters and their safe entities:
//   <  →  &lt;     >  →  &gt;     &  →  &amp;     "  →  &quot;     '  →  &#x27;

// Node.js — escape untrusted input before inserting it into HTML element content.
function escapeHtml(str) {
  return str
    .replace(/&/g, '&amp;')   // & first, so later entities are not double-escaped
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#x27;'); // numeric form — safe in HTML4, HTML5 and XML
}

const userInput = `<a href="x">Tom & Jerry's</a>`;
const safe = escapeHtml(userInput);
// → &lt;a href=&quot;x&quot;&gt;Tom &amp; Jerry&#x27;s&lt;/a&gt;
document.getElementById('out').innerHTML = `<p>${safe}</p>`; // renders as literal text

// ---------------------------------------------------------------
// In practice, prefer the platform's built-in escaping where it exists:
//   - React / Vue / Angular escape interpolated text by default
//   - Use textContent instead of innerHTML when you only need text:
//       el.textContent = userInput;  // the browser escapes for you
//   - Server frameworks (Jinja, ERB, Blade) auto-escape unless you opt out

Key Features

Escapes the Five Reserved Characters Correctly

< > & " ' are converted to their safe entities exactly as a hardened XSS-prevention library would — including the compatibility-safe ' for the apostrophe rather than the HTML4-unsafe '. This is the precise set that neutralises untrusted input in HTML element and attribute contexts.

Named, Decimal, and Hex Output

Get the same characters as readable named entities (<, ©), decimal numeric references (<), or hexadecimal references (<). Pick the form your consuming system expects; all three resolve to identical characters when parsed.

Optional Encode-All-Non-ASCII Mode

By default only the reserved characters are escaped, keeping accents and emoji as readable raw UTF-8. Tick one box to convert every code point above 0x7F into an ASCII-safe entity for legacy charsets or systems that mangle UTF-8.

Live, Instant Encoding

Output updates as you type — no submit button, no round-trip latency. Paste a large block of markup and the escaped result appears immediately, ready to copy.

Entity Quick-Reference Built In

A reference table of the most common entities — the reserved five plus ©, ®, ™, €, —,   and more — sits right on the page in named, decimal, and hex form, so you never have to look up an entity elsewhere.

One-Click Swap to the Decoder

Swap direction jumps straight to the HTML Entity Decoder to reverse the operation. Encode and decode are exact inverses, so you can round-trip text without loss.

100% Private, Browser-Only

All encoding happens on your device with JavaScript — no network requests, no logging, no storage, verifiable in DevTools → Network. Private markup, email templates, and unpublished drafts never leave the tab.

Available in 15 Languages

The full interface — labels, instructions, and guidance — is localized into 15 languages, so the tool and its escaping advice are clear no matter where your team works.

Worked Examples

Escape an HTML snippet (the default "special characters" mode)

<a href="x">Tom & Jerry's</a>
&lt;a href=&quot;x&quot;&gt;Tom &amp; Jerry&#x27;s&lt;/a&gt;

In the default "special characters" mode the encoder rewrites only the five characters that carry meaning in HTML markup: < becomes <, > becomes >, & becomes &, " becomes ", and ' becomes '. The apostrophe is emitted as the numeric ' rather than the named ' because ' is not defined in HTML4 and older parsers can choke on it, while the hex form is universally understood. After encoding, the browser renders the string as literal text — the <a> tag is displayed, not clicked — which is exactly how you safely show markup inside a page.

Non-ASCII characters are preserved in the default mode

Visit our café — it's 😀
Visit our café — it&#x27;s 😀

"Special characters" mode touches only the five reserved HTML characters, so accented letters (café), the em dash (—), and emoji (😀) pass through unchanged. This keeps the output readable and byte-light, which is what you want for UTF-8 pages that already declare <meta charset="utf-8">. Only the apostrophe in "it's" is escaped, to '. If you need every non-ASCII character converted to an entity for a legacy charset, tick "Encode all non-ASCII" — see the example below.

Decimal numeric entities

<>&"'
&#60;&#62;&#38;&#34;&#39;

Switch the format to Decimal and each special character is written as a decimal numeric character reference: < is <, > is >, & is &, " is ", and ' is '. Decimal entities are the most broadly compatible numeric form — every conforming HTML and XML parser understands them — which makes them a safe pick when you cannot be sure named entities like © are supported by the consuming system.

Hexadecimal numeric entities

<>&"'
&#x3C;&#x3E;&#x26;&#x22;&#x27;

The Hex format writes each character as a hexadecimal numeric reference: < is <, > is >, & is &, " is ", and ' is '. Hex and decimal are interchangeable — both reference the same Unicode code point — but hex maps one-to-one onto the U+XXXX notation you see in the Unicode standard, so it is the form many developers prefer when documenting or reasoning about specific code points.

Encode all non-ASCII characters

café
caf&eacute;  (named)  ·  caf&#233;  (decimal)  ·  caf&#xE9;  (hex)

Tick "Encode all non-ASCII characters" and every code point above 0x7F is converted to an entity, not just the five reserved ones. The é in café becomes the named é, the decimal é, or the hex é depending on the format you choose — all three reference the same character, U+00E9. This mode is for pages served in a non-Unicode charset, or for systems that mangle raw UTF-8, where forcing everything into 7-bit-safe ASCII entities guarantees the text survives transport intact.

How to Use the HTML Entity Encoder

  1. 1

    Paste your HTML or text

    Drop the markup or plain text you want to escape into the input box. The encoded output updates live as you type — there is no submit button and nothing is sent anywhere.

  2. 2

    Pick the entity format

    Named is the readable default (<, &, ©). Switch to Decimal (<) or Hex (<) when a consuming system prefers numeric references or you cannot guarantee named entities are supported.

  3. 3

    Optionally encode all non-ASCII

    Leave this off for modern UTF-8 pages so accents and emoji stay as readable raw characters. Tick it only when the text must survive a legacy single-byte charset, which converts every character above 0x7F to an ASCII-safe entity.

  4. 4

    Copy the encoded result

    Click Copy to put the escaped string on your clipboard, ready to paste into a template, a documentation page, or a database field. Clear resets both panes for the next snippet.

  5. 5

    Need the reverse? Swap direction

    Use Swap direction to switch to the HTML Entity Decoder when you want to turn entities back into the characters they represent.

Common HTML Encoding Mistakes

Escaped the ampersand last, causing double-escaping

If you replace < and > before &, the entities you just created get their & re-escaped, so < turns into &lt; and renders as literal text. Always escape & first.

✗ Wrong 
replace < and > first, then &  →  &lt;  becomes  &amp;lt;
✓ Correct 
escape & first, then the rest  →  &lt;  stays  &lt;

Used ' for the apostrophe in legacy contexts

' is undefined in HTML4 and some email clients show it literally. Use the numeric ' or ', which every parser understands, when targeting older or mixed environments.

✗ Wrong 
It&apos;s here  →  may render as  It&apos;s here
✓ Correct 
It&#x27;s here  →  renders as  It's here

Encoded the data twice

Running already-escaped text through the encoder again double-encodes it: & becomes &amp; and the user sees & instead of &. Escape exactly once, at output time.

✗ Wrong 
&amp;  encoded again  →  &amp;amp;  shows as  &amp;
✓ Correct 
&amp;  left as-is  →  renders as  &

Used HTML escaping for a URL or JavaScript context

HTML entities do not make a value safe inside a URL or an inline script. A space in a URL needs %20, and a string in JavaScript needs JS/JSON escaping. Match the encoding to where the value lands.

✗ Wrong 
href="/search?q=a&amp;b c"  →  the space still breaks the URL
✓ Correct 
href="/search?q=a%26b%20c"  →  URL-encoded, valid

Encoded non-ASCII unnecessarily on a UTF-8 page

Forcing café into café on a modern UTF-8 page bloats the source and hurts readability for no benefit. Leave non-ASCII raw unless a legacy charset genuinely requires entities.

✗ Wrong 
caf&eacute; on a UTF-8 page  →  needless, harder to read
✓ Correct 
café on a UTF-8 page  →  valid and clean

Forgot to escape quotes inside an attribute value

Inserting an unescaped " into an attribute lets the value break out and inject new attributes — an XSS vector. Always escape " (and ideally ') in attribute context, which this tool does by default.

✗ Wrong 
title="He said "hi""  →  attribute breaks out
✓ Correct 
title="He said &quot;hi&quot;"  →  contained

Who Uses This Tool

Display Code Samples on a Web Page
Writing a tutorial or documentation that needs to show literal HTML? Escape the snippet so <strong>bold</strong> appears as text rather than rendering. Paste the markup, copy the escaped output, and drop it inside a <pre> or <code> block.
Sanitize User Input Against XSS
Before inserting any user-supplied string into your HTML, escape the five reserved characters so a payload like <script>…</script> becomes inert text. This is the foundational defense against cross-site scripting when you build markup by hand.
Store Markup Inside a Database Field or JSON
Need to save an HTML fragment as a plain string without it being interpreted downstream? Encode it first so the angle brackets and ampersands survive storage and re-display intact, then decode on the way back out.
Author Email Templates and CMS Content
Email clients and content management systems are unforgiving about raw special characters. Escape the reserved set — and optionally all non-ASCII — so your template renders consistently across clients that may not share your charset.
Convert Text for a Legacy Charset
Targeting a system that cannot handle raw UTF-8? Turn on "Encode all non-ASCII" to rewrite every accented letter, symbol, and emoji as an ASCII-safe entity, guaranteeing the text survives transport through 7-bit-clean pipelines.
Escape XML and SVG Attribute Values
XML and inline SVG share HTML's reserved characters. Encode quotes and angle brackets so a string with embedded markup slots safely into an attribute value without breaking the document structure.
Look Up an Entity Quickly
Forgot whether the trademark sign is ™ or ™? Type the character, read its named, decimal, and hex entity off the output, or consult the built-in quick-reference table without leaving the page.

How the Encoder Works

Special-Characters Mode (Default)
By default only the five HTML-reserved characters are escaped — & < > " ' — following the WHATWG HTML serialization rules for safe output. & is replaced first so that entities produced for the other characters are not double-escaped. All other characters, including non-ASCII, pass through unchanged.
The Apostrophe Uses '
Rather than the named ' — which is undefined in HTML4 and unsafe in some legacy parsers — the single quote is emitted as the numeric ' (decimal '), referencing U+0027. This matches the convention of well-tested libraries like he and guarantees the output is safe in HTML4, HTML5, and XML alike.
Named, Decimal, and Hex Encoding
The format selector controls how each escaped character is written: Named uses defined labels where they exist (<, ©), Decimal writes the Unicode code point in base 10 (<), and Hex writes it in base 16 (<). Numeric forms reference the same code points as the named forms and are interchangeable when parsed.
Encode-All-Non-ASCII Option
When enabled, every character with a code point above 0x7F is converted to an entity in the chosen format — café becomes café (named), café (decimal), or café (hex). Astral characters such as emoji are encoded with their full code point (😀 → 😀). This produces 7-bit-clean ASCII output for legacy transport.
Charset Versus Entities
A character set defines how text is stored as bytes; an entity is a way to spell a character using only ASCII. On a UTF-8 page non-ASCII characters need no entity, which is why the default leaves them raw. Encoding everything is only necessary when the output must traverse a non-Unicode charset or a UTF-8-hostile system.
Browser-Local, Zero Network
Encoding runs synchronously in JavaScript on the main thread; there is no API call, no worker round-trip to a server, and no persistence. The input never leaves the page, which you can confirm by watching an empty Network panel while you type.

HTML Escaping Best Practices

Escape at Output, in the Right Context
Encode data at the moment you insert it into HTML, not when you receive it, and match the encoding to the context. HTML entity encoding is for HTML element and attribute content; use URL encoding inside URLs and JavaScript/JSON escaping inside script blocks. Escaping in the wrong context leaves a hole.
Always Escape Untrusted Input
Any string that originates from a user, an upload, or an external API must be escaped before it lands in your markup. This is the core XSS defense: a payload like <script>alert(1)</script> becomes inert text once the angle brackets are entities.
Prefer Built-In Escaping Where It Exists
React, Vue, and most server templating engines escape interpolated text automatically; setting element.textContent escapes for you too. Use this tool for one-off conversions and for understanding the output — but in application code, lean on the framework's auto-escaping rather than hand-rolling it.
Leave Non-ASCII Raw on UTF-8 Pages
If your page declares <meta charset="utf-8">, do not encode accents and emoji into entities — raw UTF-8 is shorter, more readable, and just as correct. Reserve "Encode all non-ASCII" for the genuine legacy-charset cases that actually require it.
Use the Numeric Apostrophe in Mixed Contexts
When output may be consumed by older parsers, XML processors, or email clients, prefer the numeric ' over the named ' for the single quote. The numeric form is universally understood; the named form is not, and a stray literal "'" in rendered text is a common, avoidable bug.

Frequently Asked Questions

Is my text sent to your server when I encode it?
No. Every character is encoded entirely in your browser with JavaScript — open DevTools → Network and you will see zero requests fire when you type or paste. Nothing is uploaded, nothing is logged, nothing is written to disk. That privacy matters because the markup people escape is often sensitive: a snippet from a private CMS, an internal email template, a customer support reply, or a draft blog post you have not published. On a server-side encoder every one of those would travel across the network to a machine you do not control; here the text never leaves the tab. This is the whole reason to escape HTML client-side rather than paste it into a website that could, in principle, keep a copy of everything it processes.
What does it mean to escape HTML, and why would I do it?
Escaping HTML means replacing characters that the browser would otherwise interpret as markup with their entity equivalents, so they are displayed as literal text instead. The classic case is showing code on a page: if you want a visitor to read the string <strong>bold</strong> rather than see the word "bold" rendered in boldface, you escape the angle brackets to <strong>bold</strong>. The other, more important case is security: when you insert untrusted user input into a page, escaping the five reserved characters (< > & " ') prevents that input from breaking out of its context and injecting a <script> tag — the core defense against cross-site scripting (XSS). Any text that originates from a user and lands in your HTML should be escaped first.
What is the difference between named, decimal, and hex entities?
All three produce the same character; they differ only in how the reference is written. A named entity uses a human-readable label — < for <, & for &, © for © — which is easy to read but only works for characters that have a defined name. A decimal numeric entity writes the Unicode code point in base 10, like < for < or é for é. A hexadecimal entity writes the same code point in base 16, like < for < or é for é, mirroring the U+XXXX notation in the Unicode standard. Named entities are the most readable and are the right default for the common reserved characters; numeric entities (decimal or hex) can encode any code point, including ones with no name, which makes them the safe choice when you cannot guarantee the consumer supports a particular named entity.
Why is the apostrophe encoded as ' and not '?
Because ' is not safe everywhere. The named entity ' was only introduced in HTML5 and XML — it is not defined in HTML4, so a few older parsers and email clients render it as the literal text "'" instead of an apostrophe. The numeric reference ' (or its decimal twin ') maps to the exact same character, U+0027, and is understood by every conforming parser ever written. Following the behavior of well-tested libraries like he, this tool emits the universally compatible ' for the apostrophe so the output is safe to drop into any HTML, XML, or attribute context without surprises.
Do I need to encode non-ASCII characters like é, — or 😀?
Usually no. If your page declares <meta charset="utf-8"> — which essentially every modern page does — then accented letters, em dashes, and emoji are perfectly valid as raw UTF-8 and need no encoding at all. That is why the default "special characters" mode leaves them untouched, keeping your output short and readable. You only need to encode non-ASCII characters when the text will be served or stored in a legacy single-byte charset, or passed through a system that corrupts raw UTF-8. For those cases tick "Encode all non-ASCII characters" and every code point above 0x7F is converted to an ASCII-safe entity. When in doubt, keep the default and make sure your charset declaration is correct.
Does escaping HTML protect me from XSS attacks?
Escaping is the foundation of XSS defense, but it is context-dependent, so the honest answer is "yes, when applied correctly." Encoding the five reserved characters before you place untrusted input into HTML element content reliably stops an attacker from injecting tags or scripts — a payload like <script>alert(1)</script> becomes inert text. The caveat is that HTML has several contexts, each with its own escaping rules: inside an attribute value you must escape quotes (which this tool does), inside a <script> block or an inline event handler you need JavaScript escaping instead, and inside a URL you need URL encoding. Use HTML entity encoding for HTML and attribute contexts; for URLs reach for the URL Encoder / Decoder, and for embedding a string in JavaScript or JSON see the JSON Escape tool. Encode at output time, in the context where the data lands.
How do I reverse this — turn entities back into characters?
Use the companion HTML Entity Decoder. It takes a string full of entities like <div> & © and converts it back to the real characters <div> & ©, handling named entities, decimal references, hexadecimal references, and even legacy unterminated entities such as &copy without a trailing semicolon. Encoding and decoding are exact inverses for the reserved characters, so you can round-trip text through both tools without loss. If you are debugging why a page shows literal &lt; instead of <, the decoder is the fastest way to see what the entities actually resolve to.
Will encoding change the visible text or break my layout?
No — that is the entire point. An entity is just an alternate spelling of a character: when a browser parses < it renders a single < glyph, identical to the raw character. So a correctly escaped page looks exactly the same to a visitor as it would with raw characters; the only difference is that the browser treats the escaped version as text rather than markup. The one thing escaping changes is the length and appearance of the source string, which is why you escape only what needs escaping. If your goal is to clean up and indent messy markup rather than escape it, that is a different job — use the HTML Formatter instead.

Related Tools

View all tools →

Base64 Decoder & Encoder

Encoding & Formatting

Decode and encode Base64 online for free. Real-time conversion with full UTF-8 and emoji support. 100% private — runs in your browser. No signup needed.

Base64 to Image Converter

Encoding & Formatting

Decode a Base64 string or data URI back into an image in your browser. Preview, read dimensions & MIME, then download as PNG, JPG, GIF, SVG. No upload.

CSV to JSON Converter

Encoding & Formatting

Convert CSV to JSON in your browser. RFC 4180, type inference, header row, big-int safe. 100% private, no upload.

.env to JSON Converter

Encoding & Formatting

Paste a .env file, get JSON instantly. Your database passwords, API keys and tokens never leave your browser — 100% private, no upload, free dotenv parser.

Free HTML Entity Decoder — Unescape HTML

Encoding & Formatting

Decode HTML entities and unescape HTML online — free, no signup, 100% in your browser. Converts named, decimal & hex references back to characters; never uploaded.

HTML to Markdown Converter

Encoding & Formatting

Convert HTML to clean Markdown in your browser — GFM tables, task lists, and links. Choose ATX/Setext headings and inline or reference links. Great for migrating web content or feeding LLMs. 100% private, no upload.