belun.app Blog

HTML Entity Encoder & Decoder Online — Free & Private

Paste text or HTML into the box, then click Encode to turn special characters like &, <, >, and quotes into HTML entities, or Decode to turn entities back into readable characters. It all runs in your browser — nothing is uploaded.

How it works

  1. 1
    Paste your text or HTML Drop in a snippet of code, a chunk of copy that contains angle brackets or ampersands, or a string of entities you want to read back.
  2. 2
    Click Encode or Decode Encode escapes &, <, >, single and double quotes into named entities. Decode reverses named, decimal (&#38;), and hexadecimal (&#x26;) entities back to characters. Tick the non-ASCII box to also escape accents and emoji.
  3. 3
    Copy the result or swap fields Copy the output straight from the box, or use Swap to move it into the input and chain another round of encoding or decoding.

Your data stays private

All processing happens entirely in your browser. No files, text, or data are ever sent to our servers. You can disconnect from the internet and this tool will still work.

Frequently asked questions

What is an HTML entity?
An HTML entity is a code that represents a character the browser might otherwise treat as markup. For example, a less-than sign is written as &lt; so the browser prints it as text instead of starting a tag. Entities can be named (&amp;), decimal (&#38;), or hexadecimal (&#x26;).
Which characters should I encode?
At minimum, escape the five characters that have special meaning in HTML: & becomes &amp;, < becomes &lt;, > becomes &gt;, double quote becomes &quot;, and single quote becomes &#39;. Escaping the ampersand first matters, and this tool handles that order for you.
Why is encoding important for security?
Rendering untrusted input without escaping it is how cross-site scripting (XSS) happens — a stray <script> tag in a comment field can run in someone else's browser. Encoding & < > and quotes turns that markup into harmless text.
What does the non-ASCII option do?
It converts every character above the basic ASCII range — accented letters, Cyrillic, CJK, emoji — into a hexadecimal numeric entity such as &#x1F600;. That is handy when a system only accepts plain ASCII, like some older email templates.
Is my data private?
Yes. Encoding and decoding happen entirely in your browser with JavaScript. Nothing you type is sent to a server, logged, or stored.
Is it free?
Yes — no signup, no limits, no ads inside the tool, free forever.

From the blog

HTML Entities Explained: When and Why to Escape Characters What HTML entities are, which characters to escape, how encoding stops XSS, and how to encode or decode entities free in your browser. Read the post →

Related tools