What is the difference between named and numeric entities?

Named entities (&) are easier to read but only work when the parser recognizes the name. Numeric entities (&) and hex entities (&) work in any HTML or XML parser, which makes them safer for non-browser contexts like RSS or email.

Should I encode every character?

No. Encoding only what is necessary (angle brackets, ampersand, quotes) keeps the output readable and small. Aggressive encoding of every non-ASCII byte is only useful when the destination is strict ASCII.

Will it handle emoji and non-Latin scripts?

Yes. Emoji, accented letters, and CJK characters all encode correctly to their numeric or hex form. Decoding restores them exactly, including multi-codepoint sequences like flag emoji.

Does encoding protect against XSS?

Encoding user input before injecting it into HTML is the right starting point, but it is not the whole story. Always combine it with a proper templating engine that escapes by default and a content security policy on the page.

Is the text I paste sent anywhere?

No. Encoding and decoding run entirely in your browser. Nothing is uploaded or logged.

HTML Entities Converter — Free Online Tool

Encode special characters as HTML entities or decode entities back to plain text. Toova covers the full named-entity set, supports numeric and hex references, and runs entirely in your browser — useful for sanitizing copy, debugging templates, and exporting content safely.

Named, numeric, and hex entities

HTML has three ways to express the same character: named (&), decimal numeric (&), and hexadecimal (&). Toova encodes to named entities by default because they are more readable, but you can switch to numeric or hex mode if your downstream system requires it. Decoding handles all three forms transparently — paste anything and get back plain text.

Selective encoding

Encoding every character bloats your HTML and hurts readability. By default, Toova only encodes characters that have a special meaning in HTML — the angle brackets, ampersand, and quotes. You can switch to aggressive mode to encode every non-ASCII character, which is useful when emitting content into a strict ASCII-only environment or building a static HTML email.

Local-only

Everything happens in your browser. The input you paste is never sent to any server, and there is no logging of the content. That is the right model when the text contains user-submitted copy, customer feedback, or anything that should stay private. The Network tab in DevTools will show zero outbound requests during encoding.

Frequently Asked Questions

What is the difference between named and numeric entities?: Named entities (&) are easier to read but only work when the parser recognizes the name. Numeric entities (&) and hex entities (&) work in any HTML or XML parser, which makes them safer for non-browser contexts like RSS or email.
Should I encode every character?: No. Encoding only what is necessary (angle brackets, ampersand, quotes) keeps the output readable and small. Aggressive encoding of every non-ASCII byte is only useful when the destination is strict ASCII.
Will it handle emoji and non-Latin scripts?: Yes. Emoji, accented letters, and CJK characters all encode correctly to their numeric or hex form. Decoding restores them exactly, including multi-codepoint sequences like flag emoji.
Does encoding protect against XSS?: Encoding user input before injecting it into HTML is the right starting point, but it is not the whole story. Always combine it with a proper templating engine that escapes by default and a content security policy on the page.
Is the text I paste sent anywhere?: No. Encoding and decoding run entirely in your browser. Nothing is uploaded or logged.

HTML Entity Encoder & Decoder

Named, numeric, and hex entities

Selective encoding

Local-only

Frequently Asked Questions