Escape `& < > " '` to safe HTML entities, or decode entity-escaped text back to plain. Four encoding levels — Minimal, Named, Numeric, All non-ASCII. UTF-8 + emoji + CJK safe, in your browser.
Default to Minimal — escape only & < > " ', the five characters that break HTML body / attribute contexts. That's what every modern templating engine does. Use Named entities if you want copyright / nbsp / arrows etc. as readable codes (© instead of ©). Use Numeric when sending HTML through pipelines that may not understand named entities. Use All non-ASCII when targeting strict ASCII-only systems (legacy email servers, broken APIs).
' is valid in XML and HTML5, but not in HTML 4.01 — older browsers render it as the literal text '. The numeric reference ' works everywhere. The decoder accepts ' as input for compatibility.
Escape user content for templates, decode entity-encoded data — and a few small touches that make it actually fun to use.
Minimal escapes only the five HTML-unsafe characters (& < > " ') — the right default for normal user-generated content. Named uses readable HTML5 entities like © / / ♥ where one exists. Numeric encodes every non-ASCII codepoint as &#NN;. All non-ASCII encodes every codepoint outside printable ASCII for legacy / ASCII-only pipelines.
The decoder handles named entities (©), decimal numeric (©), and hex numeric (©). Surrogate-pair codepoints (emoji, ancient scripts) round-trip correctly via UTF-16.
Output updates on every keystroke — no Encode / Decode button to press. Switch direction with one click; the Swap button moves output back to input so you can chain transforms.
Every Unicode codepoint round-trips: 中文, العربية, русский, हिंदी, 🎉, Þorgeir. Encoder uses per-codepoint iteration (not charAt) so surrogate pairs stay intact.
Your text stays on your device. Encoder, decoder, named-entity table all run as JavaScript locally. Open DevTools → Network and verify zero outbound requests.
Pure JavaScript, no framework runtime. Cold load is under 25 KB gzipped. A 100 KB HTML document encodes in under 5 ms.
Four steps from raw text to entity-safe output.
Drop plain text or HTML into the Input pane. Anything goes — user comments, blog posts, emoji, CJK, RTL scripts. Encoder iterates by codepoint so multi-byte sequences stay intact.
Set Direction to Encode (text → entities) or Decode (entities → text). For Encode, pick the mode: Minimal for templates, Named for readable entities, Numeric for non-ASCII as &#NN;, All non-ASCII for ASCII-only output.
Output updates on every keystroke. Compare modes in real time by changing the dropdown. Use Swap to move output back to input — useful for round-trip verification (encode then decode = original).
Use the copy icon to push the result to your clipboard, or the download icon to save it as output.encode.html / output.decode.txt. The size diff (chars / bytes in → out) shows exactly how much the encoding inflated or shrank the text.
Four common scenarios where a privacy-first browser tool beats pasting code into a random online encoder.
User comments, form responses, search queries — anything coming from outside that ends up inside a <p>, <li>, or attribute. Run through Minimal-mode encode before string-concatenating into your HTML, and you're safe from broken markup and the simplest XSS payloads.
Some APIs return strings already entity-escaped (RSS feeds, certain CMS exports, scraped HTML). Paste in, hit Decode, get back the original Unicode. The decoder handles named, decimal, and hex entities including surrogate pairs.
<title>, <meta name="description">, <meta property="og:title"> — all need entity escaping for special characters. Encode your headline once, paste into all three.
Internal CMS content, customer data, NDA-protected templates — anything you can't paste into a cloud encoder. The browser-only tool keeps every byte on your laptop. Open DevTools → Network and verify nothing leaves.
Your text never leaves your device. Open DevTools → Network and you'll see zero outbound requests during encode or decode.
Hand-picked reads on HTML escaping, entity tables, and safe templating.
Default to Minimal — escape only & < > " ', the five characters that break HTML body / attribute contexts. That's what every modern templating engine does. Use Named entities if you want copyright / nbsp / arrows etc. as readable codes (© instead of ©). Use Numeric when sending HTML through pipelines that may not understand named entities. Use All non-ASCII when targeting strict ASCII-only systems (legacy email servers, broken APIs).
' is valid in XML and HTML5, but not in HTML 4.01 — older browsers render it as the literal text '. The numeric reference ' works everywhere. The decoder accepts ' as input for compatibility.
Yes. The encoder iterates codepoints (not UTF-16 code units), so emoji like 🎉 (U+1F389) become 🎉 on encode and round-trip correctly through decode. Same for CJK (中文 → 中文 in numeric mode).
For HTML body and attributes — yes, with Minimal mode. For URL contexts (href="...") you also need URL encoding. For inline JavaScript or CSS, neither HTML nor URL encoding is sufficient — use a proper templating engine that understands those contexts. Never paste unescaped user input into a <script> block.
No. The encoder, decoder, and named-entity lookup table all run in JavaScript on your device. Open DevTools → Network and you'll see zero outbound requests during encode or decode. Paste secrets, customer data, internal templates — nothing leaves your laptop.