HTML Entities Encode & Decode Online — Escape & Unescape Text

Q: Does escaping replace server-side sanitisation?

Never treat client utilities as authoritative — always validate on the server with frameworks such as DOMPurify equivalents.

Q: Which entities are decoded?

Numeric decimal/hex forms plus frequently used named entities like nbsp, quot, amp, copy, mdash.

Q: Why escape apostrophes?

Single-quoted attributes terminate early if apostrophes remain literal — ' avoids parser surprises.

Q: Will decode strip legitimate ampersands?

Well-formed entities expand; stray ampersands remain untouched unless part of valid sequences.

Q: Is processing private?

Yes — everything stays inside your browser session.

Q: Does encode mode escape every special HTML character?

Always for &, ; quote switches add " or ' when you paste into attributes. Other characters stay literal unless already written as entities.

Turn raw characters into HTML/XML entities (and back). Essential before interpolating user content into markup or debugging escaped payloads. Options cover quote escaping when you paste strings into attributes.

Encode options

These switches apply to Encode mode only. Decode always expands entities.

Encode double quotes as "

Encode apostrophes as '

Input

Output

All conversions run in your browser. Nothing is uploaded to FastMinify.

Loading…

HTML entities — escape & unescape safely

Injecting raw strings into HTML attributes or JSX templates risks breaking markup or enabling XSS. Escaping &, <, > and optionally quotes neutralises those injections without altering visible text. FastMinify handles encode with granular quote toggles and decode with numeric plus named references.

What happens during encode vs decode

Encode scans your text left-to-right and replaces structural characters with predefined entities such as &, <, and optional "/' pairs. Decode expands decimal {, hexadecimal {, and common named entities back into literal Unicode characters — iterating until nested sequences like &lt; stabilise. Decode ignores your quote switches because entities already encode quoting intent.

Quote escaping switches

Enable double-quote encoding when embedding values inside double-quoted HTML attributes or JSON-ish snippets. Enable apostrophe encoding when wrapping strings inside single-quoted attributes — frequent in legacy PHP templates. Always complement browser-side helpers with strict server sanitisation before persistence.

Examples

Attribute-ready snippet

Original

Johnson "JJ" & Sons <demo>

Escaped

Johnson &quot;JJ&quot; &amp; Sons &lt;demo&gt;

Decode numeric entities

Original

&copy; 2026 &#8212; caf&eacute;

Escaped

© 2026 — café

Keep workflows cohesive

Large markup payloads belong in the HTML minifier. Inline scripts benefit from JavaScript compression, and structured feeds pair nicely with JSON formatting.

HTML entities FAQ

Prevent markup breakage while retaining readability

Does escaping replace server-side sanitisation?

Never treat client utilities as authoritative — always validate on the server with frameworks such as DOMPurify equivalents.

Which entities are decoded?

Numeric decimal/hex forms plus frequently used named entities like nbsp, quot, amp, copy, mdash.

Why escape apostrophes?

Single-quoted attributes terminate early if apostrophes remain literal — ' avoids parser surprises.

Will decode strip legitimate ampersands?

Well-formed entities expand; stray ampersands remain untouched unless part of valid sequences.

Is processing private?

Yes — everything stays inside your browser session.

Does encode mode escape every special HTML character?

Always for &, <, and >; quote switches add " or ' when you paste into attributes. Other characters stay literal unless already written as entities.

Can I paste this output straight into React or JSX?

Treat this as a helper for samples. Frameworks already escape text nodes—follow React/Vue/Svelte guidance instead of relying on manual escapes alone.

How is this different from the URL encoder?

HTML entities make text safe inside markup; percent-encoding prepares strings for URLs. Use URL encode for query strings, then entities for HTML context.

Minification tools

Encode & escape utilities