HTML Entity Encoder / Decoder
Escape HTML-unsafe characters or decode named and numeric entities. Three encode strengths for the case you actually have. Runs in your browser — your input often contains real user data.
0 characters
0 characters
How to encode or decode HTML entities online
Paste the text or HTML you want to convert. Pick a direction. For encoding, pick a strength:
- Minimal — escapes only
&,<,>,",'. The right default for almost every case. - Named — minimal + upgrades common symbols (©, ™, €, —, “, etc.) to their named entities for readability.
- Numeric — minimal + every non-ASCII character as
&#NNN;. Maximally portable; safe for old or strict parsers.
Why a local HTML encoder matters
Most HTML encoding happens right before output that wraps user input — usernames in profile pages, comments under articles, customer messages in support tools, search queries echoed back, error messages with stack traces. That input is PII. ToolChop runs entirely in your browser, so when you are testing your escape logic on real customer data, that data does not get uploaded.
Why the decoder is safe
The decoder uses DOMParser to parse your input as HTML in a detached document and reads textContent. The document is never attached to the DOM, so any <script> in your input does not execute — you get back only the visible-text equivalent, with every named or numeric entity resolved.
What you can do
- Encode at three strengths (Minimal / Named / Numeric)
- Decode any HTML4/HTML5 named or numeric entity safely
- Swap input ↔ output to round-trip verify
- Handle Unicode characters and surrogate pairs correctly
- Run offline once the page is loaded
Frequently asked questions
How do I encode HTML entities online for free?
Paste your text into the Input box. ToolChop escapes the HTML-unsafe characters (&, <, >, ", ') so the text becomes safe to embed inside HTML markup. Pick Minimal to escape only those five, Named to additionally upgrade chars like © and € to their named entities, or Numeric to escape every non-ASCII char as a numeric &#NNN; entity. No account, no upload, no daily limit.
Does ToolChop send my data to a server?
No. Encoding and decoding run entirely in your browser. Decoding uses DOMParser to resolve named and numeric entities safely without ever executing any HTML or scripts. Your input never leaves your device.
Why is the privacy story for HTML encoding important?
Most HTML encoding happens just before output that contains user input: usernames in profile pages, comments under articles, customer messages in support tools, search queries in result pages. That input is PII. ToolChop runs the encoder entirely in your browser, so when you are testing your escape logic on real customer data, that data does not get uploaded.
What is the difference between Minimal, Named, and Numeric?
Minimal escapes only the five HTML-unsafe characters: & → &, < → <, > → >, " → ", ' → '. Named adds named entities for common symbols (© → ©, ™ → ™, € → €, em-dash → —, etc.). Numeric escapes the minimal set plus every non-ASCII character as a numeric entity (©, €), which is broadly compatible regardless of which HTML version a parser implements.
Why escape the apostrophe as ' instead of '?
' is HTML5 but not HTML4 — ' (numeric) works in every HTML parser including ancient ones. Using the numeric form is the safe default in production output.
What is the difference between HTML encoding and URL encoding?
Different layers. HTML entity encoding escapes characters that would break HTML parsing (&, <, >, ', "). URL encoding (percent-encoding) escapes characters reserved in URLs (?, &, =, /, etc.). A query value going into an <a href> typically needs URL encoding first, then HTML-escape the result. Use our URL Encoder for the URL step.
Does the decoder handle named entities like © and —?
Yes. The decoder uses the browser's DOMParser to resolve any named entity in the HTML4/HTML5 spec — ©, —, ♥, λ, all of them — as well as numeric entities (©, ©). It does this safely: the parsed document is never rendered or executed, only its text content is read.
Is the decoder safe from XSS?
Yes. The decoder parses your input as HTML in a detached document and reads textContent — it never assigns to innerHTML on a live element, and the parsed document is never attached to the DOM. So even if your input contains <script>, that script does not execute. The decoder returns only the visible-text equivalent.
What about Unicode characters that fall outside the BMP?
Numeric encoding uses charCodeAt, which returns UTF-16 code units. Characters outside the Basic Multilingual Plane (emoji, ancient scripts) are represented as a surrogate pair, so they encode to two numeric entities. Modern HTML parsers reassemble surrogate pairs correctly, so the round-trip works.
Can I encode JSON or just text?
You can encode any text. If you are putting a JSON value inside an HTML attribute (e.g. data-config='{"k":"v"}'), you need HTML encoding on top of JSON serialization — and you should escape the JSON's quotes appropriately for the attribute delimiter. Minimal strength handles both attribute delimiters.
Why are some encoders different from others?
There is no single 'correct' HTML encoding — different libraries use different escape sets. Some escape only the strict minimum; others escape every non-ASCII char to numeric form for maximum compatibility. ToolChop lets you pick the strength explicitly so you can match the convention your codebase uses.
Why use ToolChop instead of an online encoder that uploads my data?
Privacy. The strings that pass through an HTML encoder are usually about to be displayed to users, and the input is often real user content — usernames, comments, support replies, error messages with stack traces. Uploading any of that to a third-party encoder is a needless leak. ToolChop runs entirely in your browser.