Oh MyUtils

HTML Encoder & Decoder - Escape HTML Entities Online

Encode special characters to HTML entities or decode HTML entities back to text. Prevent XSS vulnerabilities — 100% client-side processing.

Mode
Entity Format
Encoding Mode
Input
Output
becomes <script>alert('XSS')</script>."}},{"@type":"Question","name":"What is the difference between Named, Decimal, and Hex entities?","acceptedAnswer":{"@type":"Answer","text":"Named entities use descriptive names (<, &, ©). Decimal entities use Unicode code points (<, &). Hex entities use hexadecimal code points (<, &). All three formats are valid HTML and render identically. Named entities are more readable; numeric entities can represent any Unicode character."}}]}

Frequently Asked Questions

What is HTML encoding?

HTML encoding (also called HTML escaping) converts special characters like <, >, &, ", and ' into their HTML entity equivalents (&lt;, &gt;, &amp;, &quot;, &#39;). This prevents browsers from interpreting them as HTML markup, ensuring they display as literal text.

How do I use this HTML Encoder tool?

Enter or paste text in the input field. Select Encode mode to convert text to HTML entities, or Decode mode to convert entities back to text. Choose your preferred entity format (Named, Decimal, or Hex) and encoding mode (Minimal for reserved chars only, or Full for non-ASCII too). Results appear in real-time.

Is my data secure?

Yes. All processing happens 100% in your browser. No data is ever sent to any server. You can verify this by disconnecting from the internet — the tool will continue to work. This makes it safe for encoding sensitive data.

How does HTML encoding prevent XSS attacks?

XSS attacks inject malicious scripts into web pages. HTML encoding converts characters like < and > into harmless entities (&lt; and &gt;), so the browser displays them as text rather than executing them. For example, <script>alert('XSS')</script> becomes &lt;script&gt;alert('XSS')&lt;/script&gt;.

What is the difference between Named, Decimal, and Hex entities?

Named entities use descriptive names (&lt;, &amp;, &copy;). Decimal entities use Unicode code points (&#60;, &#38;). Hex entities use hexadecimal code points (&#x3C;, &#x26;). All three formats are valid HTML and render identically. Named entities are more readable; numeric entities can represent any Unicode character.

Code Examples

// HTML Encode (minimal)
function encodeHtml(text) {
  const entities = { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' };
  return text.replace(/[&<>"']/g, c => entities[c]);
}

// HTML Decode
function decodeHtml(encoded) {
  const textarea = document.createElement('textarea');
  textarea.innerHTML = encoded;
  return textarea.value;
}

console.log(encodeHtml('<script>alert("XSS")</script>'));
// &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

console.log(decodeHtml('&lt;div&gt;Hello &amp; World&lt;/div&gt;'));
// <div>Hello & World</div>

Related Tools

Base64 Encode & Decode - Text and File Encoding Online
URL Encoder & Decoder - Encode Query Strings Online
String Escape & Unescape - Multi-Format Escaper Online
GZIP Compress & Decompress - Base64 GZIP Encoder Online
JSON Formatter & Validator - Beautify JSON Online
SQL Formatter & Beautifier - Format SQL Queries Online