HTML Encode — Online HTML Entity Encoder

🔒 Runs in your browser — nothing is sent to a server

HTML encode any text, snippet or attribute value into safe HTML entities in a single click. Paste content containing `<`, `>`, `&`, `"` or `'` — the characters a browser would otherwise interpret as markup — and this HTML encoder escapes each one into its entity form (`&lt;`, `&gt;`, `&amp;`, `&quot;`, `&#39;`). The result is ready to embed inside HTML without breaking surrounding structure or opening an XSS hole. Everything runs 100% inside your browser; your input never leaves your device, nothing is uploaded, logged or sent to any server.

Two-pane view: input and output side by side
Copied!

When to use an HTML encoder

You need an HTML encoder every time user-supplied or externally-sourced text flows into an HTML document: rendering a comment, a product name or a search term into a page template; building a snippet in an email newsletter; injecting a JSON value into a `data-` attribute; composing markup inside an RSS `description` field; or hard-coding a code sample that itself contains `<`, `>` and `&`. Running the conversion in a trustworthy, offline-first page is the fastest way to produce a value you are about to paste into production markup — no copy-pasting through a remote service that might log what you paste.

How HTML encoding prevents XSS

Cross-site scripting starts when a browser parses attacker-controlled text as markup. If a username `<img src=x onerror=alert(1)>` reaches the page literally, the tag fires. An HTML encoder breaks that chain by converting each markup-meaningful character to its entity before the text reaches the HTML parser: `<` becomes `&lt;`, attribute-closing `"` becomes `&quot;`, and `&` becomes `&amp;` so the later escapes cannot be double-interpreted. After encoding, the string can only render as text. Encode every value on the way out — even seemingly safe ones — so a field that starts as an integer today cannot become an injection hole tomorrow.

Examples

Input
<div>Hello & welcome</div>
Output
&lt;div&gt;Hello &amp; welcome&lt;/div&gt;
HTML encode tags and body text
Input
<a title="Paul's blog">Read</a>
Output
&lt;a title=&quot;Paul&#39;s blog&quot;&gt;Read&lt;/a&gt;
Encode HTML special characters inside an attribute
Input
<a href="/search?q=cats&sort=new">Cats</a>
Output
&lt;a href=&quot;/search?q=cats&amp;sort=new&quot;&gt;Cats&lt;/a&gt;
Encode ampersand in HTML — safe query string in a link
Input
<!-- html encode example -->
Output
&lt;!-- html encode example --&gt;
HTML escape a comment before embedding

FAQ

How do I HTML encode a string?

Paste the string into the input box above — this tool replaces every `&`, `<`, `>`, `"` and `'` with its matching HTML entity (`&amp;`, `&lt;`, `&gt;`, `&quot;`, `&#39;`) and shows the result in the output pane. No upload, no account. Programmatically, the same mapping is what libraries like lodash `escape` or Python `html.escape` produce.

What is HTML encoding (HTML entity encoding)?

HTML encoding, also called HTML entity encoding, rewrites the five characters that the HTML parser treats as markup — `&`, `<`, `>`, `"`, `'` — as numeric or named entities. `<` becomes `&lt;`, `&` becomes `&amp;`, and so on. After encoding, a browser renders the characters literally instead of interpreting them as tags, attribute delimiters or entity starts.

Which HTML special characters need to be encoded?

The five special characters a safe HTML encoder always escapes are `&`, `<`, `>`, `"` and `'`. `&` must be escaped first, otherwise later replacements would create double-encoded entities like `&amp;lt;`. The double quote and apostrophe are only structurally meaningful inside attribute values, but encoding them everywhere is simpler and strictly safer.

How do I encode an ampersand (&) in HTML?

Replace every literal `&` with the entity `&amp;`. This matters whenever an ampersand appears inside text or a URL — a raw `&` followed by letters and a semicolon is parsed as an entity, so `cats&sort=new` inside an `href` would silently corrupt. Paste the value here and the encoder replaces ampersands in one pass, leaving the surrounding markup untouched.

What is the difference between HTML encode and HTML escape?

"HTML encode" and "HTML escape" are two names for the same operation — swapping markup-meaningful characters for HTML entities. Some documentation uses "escape" because the entities prevent the characters from being interpreted, and some uses "encode" because it changes the byte-level representation. The five-character mapping in both cases is identical.

Why is HTML encoding important for security?

Rendering user input without HTML encoding is the textbook cause of cross-site scripting (XSS). If a comment field accepts `<script>alert(1)</script>` and the server prints it raw into the page, the browser runs it. Converting characters to HTML entities before output neutralizes the payload — the browser shows the text instead of executing a tag.

Does this HTML encoder handle UTF-8, diacritics and emoji?

Yes. Only the five markup characters need entity escaping for correctness; letters, digits, diacritics, CJK glyphs and emoji are already valid inside UTF-8 HTML and pass through unchanged. You can optionally numeric-encode every non-ASCII character, but modern HTML documents served as UTF-8 do not need it, and this encoder keeps them readable.

Glossary

HTML entity

An HTML entity is a short token that represents a single character in an HTML document — either a named form like `&amp;`, `&lt;`, `&gt;`, `&quot;` or a numeric form like `&#39;` or `&#x27;`. Entities are how HTML lets you write characters that otherwise carry structural meaning, so a literal `<` shows up as text instead of starting a tag. Converting characters to HTML entities is exactly what an HTML encoder does.

HTML encoder

An HTML encoder is any tool or function that walks a string and replaces every markup-meaningful character with its HTML entity. Canonical HTML encoders swap `&` → `&amp;`, `<` → `&lt;`, `>` → `&gt;`, `"` → `&quot;` and `'` → `&#39;`, in that order so the ampersand pass does not clobber the entities introduced by the later replacements. This page is an HTML encoder that runs fully client-side.

HTML escape

HTML escape is the informal name for HTML encoding — the act of neutralising `&`, `<`, `>`, `"` and `'` so the browser parses them as text. Framework helpers named `escape`, `escapeHtml`, `h()` or `htmlspecialchars` all perform HTML escape. The mapping is identical across languages; differences are limited to whether `'` becomes `&#39;` or `&apos;` (the former is safer for older HTML).

Named vs numeric entities

Named entities like `&amp;` and `&quot;` are readable aliases defined by the HTML spec. Numeric entities like `&#38;` (decimal) or `&#x26;` (hex) address the same Unicode code point directly. Both are equivalent in modern browsers, but numeric entities work for any character, whereas only about 250 named entities exist. An HTML encoder typically emits named entities for the five markup characters and leaves everything else alone.

Cross-site scripting (XSS)

XSS is the class of web vulnerability where attacker-controlled text is rendered into a page without being HTML encoded, letting a `<script>` tag or event-handler attribute execute in other users' browsers. Applying HTML entity encoding to every value before it reaches HTML output is the primary defence: once `<` is `&lt;`, a payload can no longer escape into a new tag.

Related tools

HTML Decode
Convert HTML entities back to plain characters with a free online HTML decoder
URL Encode
Percent-encode text or URLs with a free URL encoder
URL Decode
Decode percent-encoded URL strings with a free URL decoder
Text to Base64
Encode any text to Base64 — fast, free Base64 encoder
Base64 to Text
Decode Base64 to plain text — fast, free Base64 decoder
JSON Beautify
Pretty-print and format minified JSON with proper 2-space indentation in your browser
JSON Minify
Compress and minify JSON by stripping every byte of optional whitespace
JSON to YAML
Convert JSON data to clean, human-readable YAML format