HTML Encoder & Decoder
Convert characters like < > & and " into safe HTML entities, or decode entities back to plain text. Runs in your browser.
โ 100% Freeโ No Signupโ No Watermarkโ Unlimited Use
Escape and Unescape HTML Safely
When you want to show code or symbols on a web page, characters like <, >, and & have to be written as HTML entities, or the browser treats them as markup. This free HTML encoder and decoder escapes those characters for you, and decodes entities back to plain text.
Encoding is essential to prevent broken layouts and cross-site scripting when you display user text. Decoding is handy when you copy escaped content and want to read it normally. Both run in your browser, so nothing is uploaded.
How to Use the HTML Encoder / Decoder
- 1Paste your text or HTML into the box.
- 2Click Encode to turn special characters into entities.
- 3Or click Decode to turn entities back into plain characters.
- 4Copy the result, or use it as input to convert again.
Why Use MakeToolz's HTML Encoder / Decoder?
Escapes the key characters
Handles &, <, >, double quotes and single quotes, the ones that break markup.
Both directions
Encode text to entities, or decode entities back, in one tool.
Accurate decoding
Decodes named and numeric entities the way a browser does.
Safer pages
Escaping user text is a core defense against cross-site scripting.
Private
Runs in your browser; nothing you paste is transmitted.
Free
No signup, no limits.
Which Characters Need Escaping and Why
Five characters do the heavy lifting in HTML markup, and those are the ones you escape. The less-than and greater-than signs open and close tags. The ampersand starts every entity. The double and single quotes wrap attribute values. If any of these sit inside your text as raw characters, the browser can read them as structure instead of content, and your page breaks or opens a security hole.
Escaping means swapping each character for a short code the browser prints as the character itself. For example < is written as <, so the browser shows the angle bracket rather than starting a tag. Decoding reverses this: it turns the entity back into the plain character so you can read or edit the text.
Who Uses HTML Escaping and When
Web developers escape user-submitted text before printing it on a page. Comments, usernames, search terms, and form fields all count as untrusted input. Bloggers and documentation writers escape code samples so readers see the tags instead of the browser rendering them. Support teams decode escaped snippets from bug reports to read them normally.
The common thread is displaying content the browser must not execute. Any time text will appear inside HTML and might contain brackets, quotes, or ampersands, escaping is the safe move.
Common Entities at a Glance
| Character | Named entity | Numeric entity | Why it matters |
|---|---|---|---|
| < | < | < | Starts an HTML tag |
| > | > | > | Ends an HTML tag |
| & | & | & | Starts every entity |
| " | " | " | Wraps attribute values |
| ' | ' | ' | Wraps attribute values |
| (space) | |   | Non-breaking space |
How Escaping Blocks Cross-Site Scripting
Cross-site scripting, or XSS, happens when an attacker types markup into a form and the site prints it without escaping. A crafted string that includes a script tag then runs in every visitor's browser. Escaping stops this cold: once the brackets become entities, the browser treats the whole thing as plain text and displays it instead of running it. Escaping output is one of the most reliable defenses a site can apply.
Benefits and Limits
The upside is clear. Escaping keeps your layout intact when text contains brackets, and it neutralizes injected scripts. It is fast and needs no libraries for simple cases.
The limit is scope. HTML escaping protects text placed between tags or inside quoted attributes. It does not protect text placed inside a URL, inside JavaScript, or inside a CSS block, each of which needs its own escaping. For a web address, use a Base64 encoder and decoder or a URL encoder instead, because the codes differ.
Common Mistakes and Tips
The biggest mistake is escaping the ampersand last. Always escape & first, then the brackets and quotes, or you will double-escape and turn < into &lt;. This tool handles the order for you.
A second mistake is escaping content twice. If text is already escaped and you run it through again, the entities themselves get escaped and show up as literal codes on the page. Decode first if you are unsure.
A useful tip: to display a code sample that itself contains entities, escape the whole sample once, then paste it inside a preformatted block. That way readers see the exact source. If you are working with color codes for a design, pair this with a HEX to RGB converter to keep values clean.
People Also Ask
What does & mean in HTML?
It is the escaped form of a single ampersand. Because the ampersand begins every entity, a lone one must be written as & so the browser prints an ampersand instead of trying to read an entity.
Do I need to escape HTML in every case?
Escape any text that could contain brackets, quotes, or ampersands before placing it in a page, especially anything a user typed. Plain words with none of those characters do not change, so escaping them is harmless but not required.
Is HTML encoding the same as encryption?
No. Encoding is a reversible swap anyone can undo, meant for safe display. Encryption scrambles data so only a key can recover it. Encoding hides nothing and adds no secrecy.
Why does my page show < instead of a bracket?
The text was escaped twice. The ampersand in < got escaped again into &lt;, so the browser prints the literal code. Decode it once to fix the display.
Can escaping break my text?
No. Escaping only changes the five special characters into safe codes that render as the original characters. Regular letters, numbers, and spacing stay exactly the same.
What is the difference between named and numeric entities?
Named entities like < use readable words. Numeric entities like < use the character's code number. Both produce the same character; named ones are easier to read, numeric ones cover characters that lack a name.
Should I escape single quotes?
Yes, when text goes inside an attribute wrapped in single quotes. Escaping the single quote as ' stops it from closing the attribute early and keeps the value intact.
Frequently Asked Questions
What is HTML encoding?
Why do I need to escape HTML?
What is the difference from URL encoding?
Is my text private?
Related Free Tools
More Encoders & Converters
Text to Markdown ConverterHEX to RGB ConverterNumber Base ConverterRoman Numeral Converter