If you have ever copied text from a webpage and found yourself staring at strings like &, <, or © instead of an ampersand, a less-than sign, or a copyright symbol, you have run into HTML entities. Decoding them means converting those sequences back into the characters they represent.
This guide explains what HTML encoding and decoding are, why developers and content creators encounter them, and how to decode HTML entities quickly using a free online tool.
What Are HTML Entities?
HTML uses angle brackets to define tags. The less-than sign starts a tag and the greater-than sign closes it. If a piece of text contains those same characters, the browser would try to interpret them as HTML tags instead of displaying them as text.
To avoid this, web developers replace special characters with HTML entities. An entity is a short code that starts with an ampersand and ends with a semicolon. The browser reads the entity and displays the intended character.
Here are the most common entities you will encounter:
The ampersand character is written as & in HTML source code. The less-than sign is written as <. The greater-than sign is written as >. The double quote character is written as ". The single quote or apostrophe is written as '. The copyright symbol is written as ©. The registered trademark symbol is written as ®. Non-breaking spaces are written as  .
There are hundreds of named entities in the HTML specification. Anything outside the basic ASCII character set can also be encoded as a numeric entity using a format like © for the copyright symbol or © for the same character in hexadecimal.
Why Does HTML Encoding Exist?
HTML encoding prevents two main problems.
The first is broken markup. If a title contains the characters less-than and greater-than around a word, the browser will read that as an HTML tag. The tag may be invalid, which could corrupt the rest of the page layout.
The second is security. If a website lets users type text that gets embedded into a page, an attacker could type raw HTML or JavaScript. When the server encodes that input before inserting it into the page, the browser displays the text as written instead of executing it. This is the primary defence against a class of attacks called cross-site scripting, or XSS.
When Do You Need to Decode HTML?
There are several common situations where you will want to decode HTML entities back to readable text.
When scraping web pages, the raw HTML source contains entities throughout. If you extract text by reading the HTML directly you will often see the encoded versions rather than the readable characters.
When working with APIs, some services return HTML-encoded strings in JSON responses. A blog post title might arrive as The Developer’s Guide instead of The Developer's Guide.
When copying text from certain CMS platforms or editors, the exported content sometimes includes entities that were meant for HTML rendering but end up visible in plain text documents.
When building email templates, the HTML source often encodes special characters so they render correctly across all email clients.
How to Decode HTML Entities
The quickest way to decode HTML entities is to use the DevHexLab HTML Decode tool. Here is how it works.
Open the tool at /tools/encoding/html-decode. Paste the HTML-encoded text into the input field on the left. The tool processes the input in real time and shows the decoded plain text in the output panel on the right. Click the Copy button to grab the result.
The tool handles all named entities, decimal numeric entities, and hexadecimal numeric entities. It does not matter whether the input came from a web scrape, a database field, an API response, or a manually typed string.
Common Mistakes When Decoding HTML
One common mistake is double-decoding. If a string has been encoded twice (for example, the ampersand in < was itself encoded), decoding once gives you < rather than the less-than sign. You would need to decode a second time to get the final character. The DevHexLab tool lets you run the decode operation repeatedly if needed.
Another mistake is confusing HTML encoding with URL encoding. A URL-encoded string uses percent signs and hexadecimal codes, for example %20 for a space. That is a different format and requires a URL decode tool rather than an HTML decode tool.
A third mistake is treating HTML entities as if they are universal. HTML entities are specific to HTML. They do not work in plain text files, in most programming languages, or in SQL databases. Always decode before storing or processing the value in a non-HTML context.
What About Decoding Inside Code?
If you are writing a program and need to decode HTML entities at runtime, most languages have a built-in function or library for it.
In JavaScript running in a browser, you can create a temporary textarea element, set its innerHTML to the encoded string, and read the value property to get the decoded text. Modern environments also have the DOMParser interface for this purpose.
In Python, the html module provides an unescape function that converts entities back to characters.
In PHP, the html_entity_decode function handles decoding.
In most .NET languages, the WebUtility.HtmlDecode method in the System.Net namespace does the same job.
For quick one-off decoding without writing code, the DevHexLab HTML Decode tool is the fastest option.
HTML Decode vs HTML Encode: What Is the Difference?
Encoding converts readable characters into HTML entities. Decoding does the reverse.
You encode when you are inserting user content or special characters into an HTML page, to make sure the browser displays them correctly and safely.
You decode when you have received a string that was previously encoded and you want the original readable text back.
Frequently Asked Questions
Is HTML decoding safe?
Yes. Decoding HTML entities simply converts the encoded sequences back to their original characters. It does not execute any code. The result is plain text.
Can HTML encoding prevent all XSS attacks?
HTML encoding is one important part of XSS prevention. It protects against reflected and stored XSS when output is correctly encoded. However, encoding alone is not enough if the output is placed inside a JavaScript block, a CSS rule, or a URL attribute without additional sanitisation. Proper security requires context-aware encoding.
What is the difference between & and just an ampersand?
In the HTML source of a page, & is what you write so that the browser displays a literal ampersand character. If you write a bare ampersand in HTML, some browsers will still display it correctly, but it is technically invalid HTML and can cause parsing problems in older or stricter environments.
What tool decodes HTML entities for free?
DevHexLab's HTML Decode tool at /tools/encoding/html-decode decodes all HTML entities instantly in your browser with no account or installation required.
Decode HTML in Seconds
HTML entities are a normal and necessary part of web development, but they can look confusing when you encounter them outside of an HTML file. Now that you know what they are and why they exist, you can recognise encoded strings immediately and decode them with one paste and one click. Open the DevHexLab HTML Decode tool whenever you need to convert &amp; back to & or &lt; back to <.