HTML entities represent characters that have special meaning in HTML (like <, >, &) or characters outside the basic ASCII range. Encoding these ensures safe insertion into HTML documents. "Encode all" converts every character to its numeric entity (&#NNN;), useful for obfuscation or testing.
Paste your text and the encoder replaces HTML-significant characters (& < > ' ") with their entity equivalents, plus optionally encodes every non-ASCII character as a numeric entity for maximum compatibility. Choose 'minimal' to escape only the five HTML-significant characters (the safe-to-render set), or 'all non-ASCII' to encode every character above U+007F.
The decoder recognises the five built-in named entities (& < > " ') plus the full HTML5 named-entity list, plus decimal (&) and hexadecimal (&) numeric references. This is the right way to defang user-supplied text before injecting it into HTML, but for full XSS protection use a templating engine that escapes by default.
Named entities are more readable; numeric entities work even when the named entity isn't recognised. For HTML5 either works. For XML, only the five built-in named entities are universally safe — use numeric for everything else.
Encoding the five HTML-significant characters (& < > " ') prevents text from being interpreted as markup, which is the foundation of XSS prevention. But always use a templating engine that escapes by default — relying on a manual pass is risky.
Both represent the apostrophe ('). ' is HTML5 / XML; in HTML4 only ' (numeric) was guaranteed to work. Modern browsers accept both.
Yes — hexadecimal numeric character references with the &#x prefix are decoded correctly. 🎉 decodes to 🎉.
Explore the full suite of ENCODERS tools and 290+ other free utilities at Chunky Munster.