Skip to content
Kordu Tools Kordu Tools

HTML Encoder / Decoder

Runs in browser

Encode special characters into HTML entities and decode HTML entities back to plain text.

Last updated 08 Apr 2026

Paste text or HTML to encode special characters (&, <, >, ", ') into safe HTML entities, or decode HTML entities back to readable text. Handles named entities (&amp;), decimal (&#60;), and hex (&#x3C;) formats. Runs in your browser — nothing is uploaded.

HTML encoded
Loading rating…

How to use

  1. 1

    Choose encode or decode

    Select Encode to convert text to HTML entities, or Decode to convert HTML entities back to readable text.

  2. 2

    Paste your content

    Paste the HTML, text, or encoded content into the input box.

  3. 3

    Copy the result

    The encoded or decoded text appears instantly. Click Copy to send it to your clipboard.

Frequently asked questions

Why encode HTML characters?
HTML has five characters with special meaning: &, <, >, ", and '. If these appear in content you inject into HTML without encoding, browsers may interpret them as markup, causing rendering errors or XSS security vulnerabilities.
What characters are encoded?
Five characters: & → &amp;, < → &lt;, > → &gt;, " → &quot;, ' → &#39;. These are the only characters that must be escaped for safe HTML injection.
What HTML entity formats can be decoded?
Named entities (&amp;, &lt;, &gt;, etc.), decimal numeric references (&#60; for <), and hexadecimal numeric references (&#x3C; for <). All three formats are supported.
Is this safe to use for preventing XSS?
This tool encodes the standard five HTML-special characters, which is the correct escaping strategy for injecting untrusted text into HTML element content. For JavaScript contexts or attribute values, different escaping rules apply — always use a trusted server-side library for production security.
Is my text uploaded anywhere?
No. All encoding and decoding happens in your browser using JavaScript. Your text never leaves your device.

The Kordu HTML Encoder/Decoder converts between plain text and HTML entity

notation in both directions. **Encoding** replaces characters that have special

meaning in HTML — ampersands, angle brackets, and quotes — with their safe

entity equivalents. This prevents XSS vulnerabilities when injecting user

content into HTML, and ensures correct display of characters that would

otherwise be interpreted as markup.

**Decoding** converts HTML entities back to their original characters. The

decoder handles all three entity formats: named entities like &amp;, decimal

numeric references like &#60;, and hexadecimal references like &#x3C;.

Five characters are encoded: `&` → `&amp;`, `<` → `&lt;`, `>` → `&gt;`,

`"` → `&quot;`, `'` → `&#39;`. This is the minimal safe set for HTML encoding.

Common uses: sanitising user input before HTML injection, debugging HTML source

code, safely displaying code snippets in blog posts, and converting encoded

content from APIs or feeds.

All processing runs client-side in your browser. Your text is never uploaded,

stored, or transmitted to any server.

Related tools

URL Encoder/Decoder

Encode or decode URLs and query string components instantly — supports encodeURIComponent, decodeURIComponent, and full URL encoding.

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.

JSON Formatter

Format, validate, and minify JSON instantly — with configurable indentation, error location, and tree view.

Markdown Preview

Write Markdown and see a live GitHub-flavoured HTML preview side by side — export clean HTML instantly.

Case Converter

Convert text between UPPERCASE, lowercase, Title Case, camelCase, snake_case, kebab-case, and more — instantly.