Encode text to HTML entities or decode entities back to text, UTF-8 safe and client-side.
How to use the HTML Encoder
Paste your text or HTML.
Choose Encode (escape the HTML specials), Encode all (also escape non-ASCII) or Decode.
Copy the result.
An HTML entity encoder and decoder for escaping special characters so they display as text instead of being interpreted as markup. It converts characters like < and & into entities such as < and &, and decodes them back again.
Encoding and decoding are UTF-8 safe and run entirely in your browser, so nothing you paste is uploaded.
Encoding always escapes the five characters that have special meaning in HTML: & < > " and '. That is what stops a stray < from being read as the start of a tag, or text from accidentally breaking out of an attribute.
An Encode all option additionally turns every non-ASCII character into a numeric entity, which is useful for legacy systems, some email pipelines, or anywhere you need to be sure the output is pure ASCII.
Decoding understands all three entity forms: named entities like & and ©, decimal entities like é, and hexadecimal entities like €. Sequences it does not recognize are left untouched rather than mangled.
Escaping the HTML specials is the core defense against HTML injection and cross-site scripting (XSS): any untrusted text should be encoded before it is placed into a page, so it renders as harmless characters instead of active markup.
Frequently asked questions
Encode escapes only the five characters that must be escaped in HTML (& < > " '). Encode all additionally turns every non-ASCII character into a numeric entity, useful for legacy systems or email.
Named entities like & and ©, decimal entities like é, and hexadecimal entities like €. Unknown sequences are left unchanged.
Encoding the HTML specials is the core defense against injecting markup. Always encode untrusted text before placing it in HTML.
An entity is a code that represents a character, such as < for < or & for &. It lets you show characters that would otherwise be read as markup, or characters not easily typed.
Whenever you put text you do not fully control into a web page: user comments, names, search terms or imported data. Encoding keeps it from being treated as HTML.
No. Encoding and decoding run entirely in your browser, so the text you paste never leaves your device.
Embed this tool
Add this tool to your own website. Copy the snippet below; it stays up to date automatically.
<iframe src="https://monu.tools/embed/en/html-encoder" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>Learn more
Base64 Explained: Why Encoding Is Not Encryption
What Base64 actually does, why it makes data about a third larger, when to use it, and why it protects nothing on its own.
URL Encoding Explained: When and Why to Percent-Encode
Why URLs use %20 and other percent codes, which characters are safe, and when to reach for encodeURIComponent instead of encodeURI.
How to Read a JWT, and Why Decoding Is Not Verifying
A JWT is three Base64url parts anyone can read. Learn how to decode one, what each part means, and why decoding proves nothing.
Hashing vs Encryption: What a Hash Can and Cannot Do
Hashing is one-way and keyless; encryption is two-way and needs a key. Learn the difference, why you cannot decrypt a hash, and when to use each.
How Webhook Signatures Work: HMAC, Shared Secrets, and Timing-Safe Checks
How Stripe and GitHub prove a webhook is genuine using HMAC and a shared secret, and the timing-safe comparison most developers get wrong.
How Passwords Should Be Stored: Salting, bcrypt, and Why Not SHA-256
Why a fast hash like SHA-256 is wrong for passwords, what a salt does, and why bcrypt, scrypt, and Argon2 are the right tools.
Related tools
Encode text to Base64 or decode Base64 back to text. UTF-8 safe with automatic direction detection.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.