What escaping HTML means
A few characters carry special meaning inside a web page. The browser reads < as the start of a tag, > as its end, and & as the beginning of an entity. When you want those symbols to show up as plain text instead — inside a code tutorial, a blog snippet, or a user comment — you have to escape them: replace each one with its HTML entity so the browser draws the character rather than acting on it.
Encoding turns five key characters into safe entities. Decoding does the reverse, turning entities back into the original characters. This tool does both instantly, right in your browser, and never sends your text to a server.
How to use the tool
- Pick the Encode tab to go from text to entities, or Decode to reverse it.
- Paste your text into the large box.
- The result shows up straight away in the dark card.
- Press Copy to send it to your clipboard.
The counters below report input characters, output characters, and how many entities are involved.
Which characters get escaped, and in what order
Encoding replaces five characters. The subtle part is the order: the & is handled first. If you escaped < before &, the fresh & inside < would be escaped again and you would get the broken double-encoding &lt;.
| Character | Entity | Why it is special |
|---|---|---|
& | & | starts every entity; comes first |
< | < | opens a tag |
> | > | closes a tag |
" | " | wraps attribute values |
' | ' | wraps single-quoted attributes |
For decoding, the tool recognises named entities (such as & or ©), decimal numeric entities (é), and hexadecimal entities (é). Any sequence it does not recognise is left untouched.
Worked example
Start from the fragment <a href="x">A & B</a>.
Encoding swaps each special character for its entity:
<becomes<"becomes"(it appears twice)>becomes>&becomes&- the closing
</a>yields</a>
The full result is:
<a href="x">A & B</a>
Paste that string into the Decode tab and you get back exactly <a href="x">A & B</a>. It is a clean round-trip: encoding and then decoding returns the original text with nothing lost.
Frequently asked questions
Why must & be escaped first?
Because every entity begins with &. If you turned < into < first, that new & would be escaped again on the next pass and you would end up with &lt;. Handling & before the other characters prevents that double-encoding.
What is the difference between ' and ' for the apostrophe?
Both stand for the single quote '. The tool encodes with ' (the numeric form) because ' is not defined in HTML 4 and some older contexts do not recognise it, whereas ' works everywhere. When decoding, though, both forms are accepted.
Does escaping HTML protect against XSS?
Escaping is a core defence against XSS when you drop text into the body of a page, because it stops the browser from running tags like <script>. On its own it is not enough, though: attribute values, URLs, and JavaScript contexts each need their own escaping rules. Treat it as a required step, not a complete guarantee.
Is escaping the same as encryption?
No. Escaping only changes how a handful of characters are written, and it is fully reversible by anyone; it hides nothing. Encryption makes content unreadable without a key. Never use HTML entities to protect sensitive data.
Are accents and emojis preserved?
Yes. Encoding only touches the five special characters, so accented letters, the ñ, and emojis pass through unchanged. Decoding also resolves numeric entities: for example é becomes é, and 😀 turns into its emoji.