Which characters get escaped?

Encoding escapes the HTML-significant characters & " and ', and optionally all non-ASCII characters as numeric entities. Decoding understands named entities and decimal or hexadecimal numeric entities.

Is decoding safe with untrusted HTML?

Yes. Entities are decoded with a parser that never inserts your input into the live page, so pasting untrusted markup cannot run scripts.

Is my content uploaded?

No. All encoding and decoding happens in your browser — nothing is sent to a server.

HTML Entity Encoder & Decoder

Escape and unescape HTML entities — safely, in your browser.

HTML entity encoder & decoder

Escape text for safe placement inside HTML — &, <, >, " and ' become their entity equivalents — or decode named and numeric entities back into plain text. An optional setting also escapes every non-ASCII character as a numeric entity.

Decoding is done without ever injecting your input into the live page, so untrusted markup is handled safely. Everything runs in your browser — nothing is uploaded. Pair it with the URL encoder for query strings.