How to encode and decode HTML entities
Pick Encode to turn raw text into HTML entities, or Decode to turn entities back into characters, and the output updates live. In encode mode the scope control decides how aggressive to be: reserved only escapes just the five characters that have meaning in markup, which is what you want for embedding text safely inside a page; all non-ASCII additionally escapes every character above code point 127, which guarantees the output survives a strict ASCII-only pipeline. The numeric entities toggle chooses between readable named entities and universal numeric ones. The Swap button flips input and output so you can verify a round-trip in one click.
The reserved characters
HTML gives special meaning to a handful of characters, and leaving them raw inside content is what breaks pages. The ampersand & starts an entity, the angle brackets < and > delimit tags, and inside attributes the quote marks " and ' end the attribute value. Escaping turns each into its entity — &, <, >, " and ' — so the browser shows the literal character instead of trying to interpret it as markup. Any time you place user-supplied or untrusted text into HTML, these five are the minimum you must escape.
Named vs numeric entities
An entity can be written two ways. A named entity uses a mnemonic, like © for © or — for —; they read well but only exist for a fixed, historical set of characters. A numeric entity uses the Unicode code point, in decimal (©) or hexadecimal (©), and works for every character including emoji and rare symbols. This tool emits numeric entities when you tick the box, which is the safest choice for arbitrary input; for the common reserved five it uses the familiar named forms by default for readability.
Escaping and cross-site scripting
Escaping is not just cosmetic — it is the front-line defence against cross-site scripting (XSS). If an application drops unescaped user input into a page, an attacker can submit <script> tags or event-handler attributes that the browser then executes. Correctly escaping the reserved characters means that input is rendered as inert text rather than live markup. This tool lets you see exactly what the escaped form looks like, which is useful when debugging a template, building a test payload, or confirming that a value is being neutralised the way you expect.
Why escape locally
Entity encoding is a pure, deterministic character mapping — the same input always produces the same output — so a real tool is more reliable than asking an AI assistant, which can silently miss a character or mangle a long string. Running it in the browser also means it is instant, works offline, and keeps your text private: log lines, template fragments and payloads you are debugging never leave the page, in line with the gitime.dev default that nothing is uploaded or logged.
- Encode and decode in one tool, with live output.
- Scope control — reserved only or all non-ASCII.
- Named or numeric entity output.
- Swap to verify round-trips instantly.
- Local — exact, instant, nothing uploaded.
Frequently asked questions
- Which characters need HTML escaping?
- The five reserved characters: & < > " and ' — escaping them prevents broken markup and XSS.
- Named or numeric entities?
- Named entities are readable but limited; numeric entities work for every character, including emoji.
- Does it decode entities too?
- Yes — decode mode resolves named and numeric entities back to the original characters.
- Is anything uploaded?
- No. All encoding and decoding run locally in your browser.