`, it contains the literal eight-character string `<div>`. Different contexts, different encoders."}},{"@type":"Question","name":"Why are some characters like emoji or Asian text encoded as a pair of numbers?","acceptedAnswer":{"@type":"Answer","text":"Because **emoji and many Asian characters live above the basic Unicode plane**, they use two **UTF-16 code units** internally in JavaScript. When the tool encodes them as numeric references, it correctly emits the full **codepoint** (one number, not two). **Example**: 🎉 encodes as `🎉` (a single codepoint), not two separate references. **Decoding** reverses this perfectly. If you see weird two-number sequences in your input, it means whoever encoded it earlier did NOT handle surrogate pairs correctly, run the input through Decode and the tool will repair it."}},{"@type":"Question","name":"Does this work offline? Is my text uploaded anywhere?","acceptedAnswer":{"@type":"Answer","text":"**Everything runs in your browser.** No server calls, no analytics on the input, no upload. You can open the **Network tab** in DevTools and confirm: zero requests when you type. Safe for **sensitive content**: legal docs, internal templates, customer data. **Works offline** too: once the page is loaded the encoding logic is fully client-side JavaScript, you can disconnect Wi-Fi and keep working. **The entity reference table** (top 30 named entities) is embedded directly in the page bundle."}},{"@type":"Question","name":"Why does my non-breaking space ( ) decode to a regular space?","acceptedAnswer":{"@type":"Answer","text":"**It does not, it decodes to a non-breaking space.** They look identical but they are different characters: regular space is **U+0020**, non-breaking space is **U+00A0**. Copy the decoded output and paste it into a Unicode inspector and you will see U+00A0. **Browsers render them the same way** which is why it looks like a regular space. **Important**: non-breaking spaces in HTML source can break layout calculations, regex `\\s` matches them but `\" \"` (literal space) does not. If you want to **convert them to real spaces** after decoding, run the output through our find and replace tool."}},{"@type":"Question","name":"What is the difference between A and A?","acceptedAnswer":{"@type":"Answer","text":"**Same character, different number bases.** `A` is the **decimal** numeric reference for codepoint 65 (the letter A). `A` is the **hexadecimal** form of the same number (0x41 = 65 in decimal). Both decode to 'A'. **Why both exist**: hex is more compact for high codepoints (`🎉` versus `🎉` for 🎉), and matches the way Unicode codepoints are usually written in documentation (U+1F389). Decimal is older and more readable for ASCII range. **Browsers accept either**, decode is identical. **For encoding**: this tool emits decimal by default, that is the more common convention in real-world HTML."}}]}
HTML Entities Encoder
Encode <, >, & and special chars to HTML entities. Encode and decode both ways.
LiveRuns in your browser
Encodes only the 5 HTML-significant chars: & < > " '. Accented characters stay as-is.
Some characters mean something special to a browser. Type a literal less-than sign in your CMS and the browser thinks a tag is starting. Paste an ampersand into a URL and a different parameter takes over. The fix is HTML entities: short codes like `&lt;` or `&amp;` that show the actual character without confusing the parser.
Everything runs in your browser: nothing leaves the page, no sign-up, no quota. Pinned at the bottom: a reference table of the 30 most-used named entities, click any row to copy it.
How to use it
Pick a direction: Encode (text into entities) or Decode (entities back into text). Toggle bar at the top of the page.
Paste your text on the left. The result appears on the right instantly: no Run button, no delay.
Hit Copy to grab the output. Or Swap to flip the result back through the opposite direction (useful for round-trip testing).
Need a specific entity? Open the reference table at the bottom (the top 30 named entities), click any row to copy that exact entity token.
Decode handles everything: named entities (`&copy;`), decimal numeric (`&#65;`), hex numeric (`&#x41;`). Mixed input works too.
When this is useful
Six situations where this tool saves you from a broken page or a security hole:
Showing code samples on a blog. You want to display `<div class="foo">` as literal text in a tutorial. Without encoding the browser eats the tag and you get an empty box. Encode in Strict mode turns the angle brackets into `<` and `>` so the markup shows as text.
Pasting content from Word or Google Docs into a CMS. The doc has smart quotes (`“ ”`), em dashes (`-`), non-breaking spaces. Some CMSs choke on these. Encode in Named mode swaps them for readable entities like `“` and `—` that every system handles.
Stopping a basic XSS attempt. A user submits `<script>alert("xss")</script>` to your comment form. Display it raw and the script runs in every visitor's browser. Encode in Strict mode turns it into harmless text. Real defense needs more than this, but encoding output is step one.
Cleaning up old HTML emails or scraped pages. You copy text from an old newsletter and it is full of `&eacute;` and `&#8230;` artifacts. Decode turns them back into proper é and …, ready to paste into a fresh document.
Sending email content through legacy systems. Some older mail servers and templating engines strip non-ASCII characters. Encode in Numeric all mode turns é into `&#233;`, which survives the trip and renders correctly in any mail client.
Building an iframe srcdoc attribute. The HTML inside `srcdoc="..."` needs its quotes escaped or the whole thing breaks. Encode in Strict mode is exactly what you need: it touches only the characters the parser cares about, leaves the rest readable.